mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-20 09:17:25 +00:00
spacing, related topics, copy edits
This commit is contained in:
martyav
parent
db67a15639
commit
d00d6156cc
@ -80,7 +80,7 @@ From within Microsoft Defender ATP, you can update your defenses with custom ind
|
||||
|
||||
**Does ASR support file or folder exclusions that include system variables and wildcards in the path?**
|
||||
|
||||
Yes. See [Excluding files and folders from ASR rules](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for more details on excluding files or folders from ASR rules, and [Configure and validate exclusions based on file extension and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for more on using system variables and wildcards in excluded file paths.
|
||||
Yes. See [Excluding files and folders from ASR rules](enable-attack-surface-reduction.md#exclude-files-and-folders-from-ASR-rules) for more details on excluding files or folders from ASR rules, and [Configure and validate exclusions based on file extension and folder location](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for more on using system variables and wildcards in excluded file paths.
|
||||
|
||||
**Do ASR rules cover all applications by default?**
|
||||
|
||||
@ -98,18 +98,30 @@ Try opening the indexing options directly from Windows 10.
|
||||
|
||||
1. Enter **Indexing options** into the search box. <!-- Where are the ASR rules specifically listed, though? -->
|
||||
|
||||
**For the ASR rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion* -- are these criteria configurable by an admin?**
|
||||
**Are these criteria used by the rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion* configurable by an admin?**
|
||||
|
||||
No. The criteria used by this rule are maintained by Microsoft cloud protection, to keep the trusted list constantly up-to-date with data gathered from around the world. Local admins do not have access to alter this data. If you are looking to configure this rule to tailor it for your enterprise, you can add certain applications to the exclusions list to prevent this rule from being triggered.
|
||||
|
||||
**I enabled the ASR rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*. I recently updated to a new version of a piece of software and the rule is now blocking it, even though it was considered trusted before. Did something go wrong?**
|
||||
**I enabled the ASR rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*. After some time, I updated a piece of software, and the rule is now blocking it, even though it didn't before. Did something go wrong?**
|
||||
|
||||
This rule relies upon each application having a known reputation, as measured by prevalence, age, or being otherwise included on a list of trusted or excluded apps. The rule's decision to block or allow an application is ultimately determined by Microsoft cloud protection's assessment of these criteria. Usually, cloud protection can figure out that a new version of an application is similar enough to previous versions that it does not need to be re-assessed at length. However, it might take some time to build reputation after switching versions of an application, particularly after a major update. In the meantime, you can add the application to the exclusions list, to prevent this rule from blocking important applications. If you are frequently updating and working with very new versions of applications, you may opt instead to run this rule in audit mode.
|
||||
This rule relies upon each application having a known reputation, as measured by prevalence, age, or being otherwise included on a list of trusted or excluded apps. The rule's decision to block or allow an application is ultimately determined by Microsoft cloud protection's assessment of these criteria.
|
||||
|
||||
**I recently enabled the ASR rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, and I am getting a lot of notifications. What is going on?**
|
||||
Usually, cloud protection can figure out that a new version of an application is similar enough to previous versions that it does not need to be re-assessed at length. However, it might take some time to build reputation after switching versions of an application, particularly after a major update. In the meantime, you can add the application to the exclusions list, to prevent this rule from blocking important applications. If you are frequently updating and working with very new versions of applications, you may opt instead to run this rule in audit mode.
|
||||
|
||||
A notification generated by this rule does not necessarily indicate malicious activity; however, this rule is still useful for blocking malicious activity, since malware often target lsass.exe to gain illicit access to accounts. The lsass.exe process stores user credentials in memory after a user has logged in. Windows uses these credentials to validate users and apply local security policies. Because many legitimate processes throughout a typical day will be calling on lsass.exe for credentials, this rule can be especially noisy. If a known legitimate application causes this rule to generate an excessive amount of notifications, you can add it to the exclusion list. Most other ASR rules will generate a relatively smaller number of notifications, in comparison to this one, since calling on lsass.exe is typical of many applications' normal functioning.
|
||||
**I recently enabled the ASR rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, and I am getting a large number of notifications. What is going on?**
|
||||
|
||||
A notification generated by this rule does not necessarily indicate malicious activity; however, this rule is still useful for blocking malicious activity, since malware often target lsass.exe to gain illicit access to accounts. The lsass.exe process stores user credentials in memory after a user has logged in. Windows uses these credentials to validate users and apply local security policies.
|
||||
|
||||
Because many legitimate processes throughout a typical day will be calling on lsass.exe for credentials, this rule can be especially noisy. If a known legitimate application causes this rule to generate an excessive amount of notifications, you can add it to the exclusion list. Most other ASR rules will generate a relatively smaller number of notifications, in comparison to this one, since calling on lsass.exe is typical of many applications' normal functioning.
|
||||
|
||||
**Is it a good idea to enable the rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, alongside LSA protection?**
|
||||
|
||||
Enabling this rule will not provide additional protection if you have [LSA protection](https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#BKMK_HowToConfigure) enabled as well. Both the rule and LSA protection work in much the same way, so having both running at the same time would be redundant. However, sometimes you may not be able to enable LSA protection. In those cases, you can enable this rule to provide equivalent protection against malware that target lsass.exe.
|
||||
Enabling this rule will not provide additional protection if you have [LSA protection](https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#BKMK_HowToConfigure) enabled as well. Both the rule and LSA protection work in much the same way, so having both running at the same time would be redundant. However, sometimes you may not be able to enable LSA protection. In those cases, you can enable this rule to provide equivalent protection against malware that target lsass.exe.
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Attack surface reduction overview](attack-surface-reduction.md)
|
||||
- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
|
||||
- [Customize attack surface reduction rules](customize-attack-surface-reduction.md)
|
||||
- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
|
||||
- [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Use attack surface reduction rules to prevent malware infection
|
||||
description: Microsoft Defender ATP's attack surface reduction rules can help prevent exploits from using apps and scripts to infect machines with malware.
|
||||
description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect machines with malware.
|
||||
keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender Advanced Threat Protection, Microsoft Defender ATP
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.pagetype: security
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user