deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 20:03:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update exploit-protection.md

Browse Source
This commit is contained in:
Denise Vangel-MSFT
2020-08-28 13:01:43 -07:00
parent 617d5de872
commit d3f280fd0b
1 changed files with 57 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

116
windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
View File

@ -36,10 +36,10 @@ When a mitigation is encountered on the device, a notification will be displayed
You can also use [audit mode](evaluate-exploit-protection.md) to evaluate how exploit protection would impact your organization if it were enabled.
Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See [Comparison between Enhanced Mitigation Experience Toolkit and Exploit protection](emet-exploit-protection.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10.
Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection. In fact, you can convert and import existing your EMET configuration profiles into exploit protection. To learn more, see [Import, export, and deploy exploit protection configurations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml).
> [!IMPORTANT]
> If you are currently using EMET you should be aware that [EMET reached end of support on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows 10.
> If you are currently using EMET you should be aware that [EMET reached end of support on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). Consider replacing EMET with exploit protection in Windows 10.
> [!WARNING]
> Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender.md) before deploying the configuration across a production environment or the rest of your network.
@ -61,34 +61,34 @@ DeviceEvents
You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app:
Provider/source | Event ID | Description
-|-|-
Security-Mitigations | 1 | ACG audit
Security-Mitigations | 2 | ACG enforce
Security-Mitigations | 3 | Do not allow child processes audit
Security-Mitigations | 4 | Do not allow child processes block
Security-Mitigations | 5 | Block low integrity images audit
Security-Mitigations | 6 | Block low integrity images block
Security-Mitigations | 7 | Block remote images audit
Security-Mitigations | 8 | Block remote images block
Security-Mitigations | 9 | Disable win32k system calls audit
Security-Mitigations | 10 | Disable win32k system calls block
Security-Mitigations | 11 | Code integrity guard audit
Security-Mitigations | 12 | Code integrity guard block
Security-Mitigations | 13 | EAF audit
Security-Mitigations | 14 | EAF enforce
Security-Mitigations | 15 | EAF+ audit
Security-Mitigations | 16 | EAF+ enforce
Security-Mitigations | 17 | IAF audit
Security-Mitigations | 18 | IAF enforce
Security-Mitigations | 19 | ROP StackPivot audit
Security-Mitigations | 20 | ROP StackPivot enforce
Security-Mitigations | 21 | ROP CallerCheck audit
Security-Mitigations | 22 | ROP CallerCheck enforce
Security-Mitigations | 23 | ROP SimExec audit
Security-Mitigations | 24 | ROP SimExec enforce
WER-Diagnostics | 5 | CFG Block
Win32K | 260 | Untrusted Font
|Provider/source | Event ID | Description|
|---|---|---|
|Security-Mitigations | 1 | ACG audit |
|Security-Mitigations | 2 | ACG enforce |
|Security-Mitigations | 3 | Do not allow child processes audit |
|Security-Mitigations | 4 | Do not allow child processes block |
|Security-Mitigations | 5 | Block low integrity images audit |
|Security-Mitigations | 6 | Block low integrity images block |
|Security-Mitigations | 7 | Block remote images audit |
|Security-Mitigations | 8 | Block remote images block |
|Security-Mitigations | 9 | Disable win32k system calls audit |
|Security-Mitigations | 10 | Disable win32k system calls block |
|Security-Mitigations | 11 | Code integrity guard audit |
|Security-Mitigations | 12 | Code integrity guard block |
|Security-Mitigations | 13 | EAF audit |
|Security-Mitigations | 14 | EAF enforce |
|Security-Mitigations | 15 | EAF+ audit |
|Security-Mitigations | 16 | EAF+ enforce |
|Security-Mitigations | 17 | IAF audit |
|Security-Mitigations | 18 | IAF enforce |
|Security-Mitigations | 19 | ROP StackPivot audit |
|Security-Mitigations | 20 | ROP StackPivot enforce |
|Security-Mitigations | 21 | ROP CallerCheck audit |
|Security-Mitigations | 22 | ROP CallerCheck enforce |
|Security-Mitigations | 23 | ROP SimExec audit |
|Security-Mitigations | 24 | ROP SimExec enforce |
|WER-Diagnostics | 5 | CFG Block |
|Win32K | 260 | Untrusted Font |
## Mitigation comparison
@ -96,38 +96,36 @@ The mitigations available in EMET are included natively in Windows 10 (starting
The table in this section indicates the availability and support of native mitigations between EMET and exploit protection.
Mitigation | Available under Exploit protection | Available in EMET
-|-|-
Arbitrary code guard (ACG) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]<br />As "Memory Protection Check"
Block remote images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]<br/>As "Load Library Check"
Block untrusted fonts | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
Data Execution Prevention (DEP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
Export address filtering (EAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
NullPage Security Mitigation | [!include[Check mark yes](../images/svg/check-yes.svg)]<br />Included natively in Windows 10<br/>See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
Simulate execution (SimExec) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
Validate API invocation (CallerCheck) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
Validate exception chains (SEHOP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
Validate stack integrity (StackPivot) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](../images/svg/check-yes.svg)]
Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection<br/>See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
Block low integrity images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
Code integrity guard | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
Disable extension points | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
Disable Win32k system calls | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
Do not allow child processes | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
Import address filtering (IAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
Validate handle usage | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
Validate heap integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
Validate image dependency integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
|Mitigation | Available under exploit protection | Available in EMET |
|---|---|---|
|Arbitrary code guard (ACG) | yes | yes<br />As "Memory Protection Check" |
|Block remote images | yes | yes<br/>As "Load Library Check" |
|Block untrusted fonts | yes | yes |
|Data Execution Prevention (DEP) | yes | yes |
|Export address filtering (EAF) | yes | yes |
|Force randomization for images (Mandatory ASLR) | yes | yes |
|NullPage Security Mitigation | yes<br />Included natively in Windows 10<br/>See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | yes |
|Randomize memory allocations (Bottom-Up ASLR) | yes | yes |
|Simulate execution (SimExec) | yes | yes |
|Validate API invocation (CallerCheck) | yes | yes |
|Validate exception chains (SEHOP) | yes | yes |
|Validate stack integrity (StackPivot) | yes | yes |
|Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | yes |
|Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection<br/>See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | yes |
|Block low integrity images | yes | no |
|Code integrity guard | yes | no |
|Disable extension points | yes | no |
|Disable Win32k system calls | yes | no |
|Do not allow child processes | yes | no |
|Import address filtering (IAF) | yes | no |
|Validate handle usage | yes | no |
|Validate heap integrity | yes | no |
|Validate image dependency integrity | yes | no |
> [!NOTE]
> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process.
>
> See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process. See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
## Related articles
## See also
- [Protect devices from exploits](exploit-protection.md)
- [Evaluate exploit protection](evaluate-exploit-protection.md)