mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-14 22:37:22 +00:00
Merged PR 8334: New wildcard support for ASR and CFA
New wildcard support for ASR and CFA
This commit is contained in:
Andrea Bichsel (Aquent LLC)
commit
d88cf3606e
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: andreabichsel
|
||||
ms.author: v-anbic
|
||||
ms.date: 04/30/2018
|
||||
ms.date: 05/17/2018
|
||||
---
|
||||
|
||||
# Configure exclusions in Windows Defender AV on Windows Server
|
||||
@ -55,6 +55,9 @@ In Windows Server 2016 the predefined exclusions delivered by definition updates
|
||||
> [!WARNING]
|
||||
> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 roles.
|
||||
|
||||
> [!NOTE]
|
||||
> This setting is only supported on Windows Server 2016. While this setting exists in Windows 10, it doesn't have an effect on exclusions.
|
||||
|
||||
You can disable the auto-exclusions lists with Group Policy, PowerShell cmdlets, and WMI.
|
||||
|
||||
**Use Group Policy to disable the auto-exclusions list on Windows Server 2016:**
|
||||
@ -89,9 +92,6 @@ See the following for more information and allowed parameters:
|
||||
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## List of automatic exclusions
|
||||
The following sections contain the exclusions that are delivered with automatic exclusions file paths and file types.
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: andreabichsel
|
||||
ms.author: v-anbic
|
||||
ms.date: 04/30/2018
|
||||
ms.date: 05/17/2018
|
||||
---
|
||||
|
||||
# Deploy, manage, and report on Windows Defender Antivirus
|
||||
@ -47,7 +47,7 @@ PowerShell|Deploy with Group Policy, System Center Configuration Manager, or man
|
||||
Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][]
|
||||
Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD.
|
||||
|
||||
1. <span id="fn1" />The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager, current branch (for example, System Center Configuration Manager 2016) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager, current branch (2016). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for a table that describes the major differences. [(Return to table)](#ref2)
|
||||
1. <span id="fn1" />The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager 2016 and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager 2016. See [Use Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2)
|
||||
|
||||
2. <span id="fn2" />In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2)
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: andreabichsel
|
||||
ms.author: v-anbic
|
||||
ms.date: 04/30/2018
|
||||
ms.date: 05/17/2018
|
||||
---
|
||||
|
||||
|
||||
@ -42,7 +42,7 @@ ms.date: 04/30/2018
|
||||
- Configuration service providers for mobile device management
|
||||
|
||||
|
||||
Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
|
||||
Available in Windows 10 Enterprise E5, Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
|
||||
|
||||
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: andreabichsel
|
||||
ms.author: v-anbic
|
||||
ms.date: 04/30/2018
|
||||
ms.date: 05/17/2018
|
||||
---
|
||||
|
||||
# Customize Attack surface reduction
|
||||
@ -35,7 +35,7 @@ ms.date: 04/30/2018
|
||||
- Configuration service providers for mobile device management
|
||||
|
||||
|
||||
Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
|
||||
Available in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
|
||||
|
||||
This topic describes how to customize Attack surface reduction by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
|
||||
|
||||
@ -48,12 +48,14 @@ You can exclude files and folders from being evaluated by most Attack surface re
|
||||
This could potentially allow unsafe files to run and infect your devices.
|
||||
|
||||
>[!WARNING]
|
||||
>Excluding files or folders can severly reduce the protection provided by Attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
|
||||
>Excluding files or folders can severely reduce the protection provided by Attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
|
||||
>
|
||||
>If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules).
|
||||
|
||||
You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode) and that allow exclusions.
|
||||
|
||||
Windows 10, version 1803 supports environment variables and wildcards. For information about using wildcards in Windows Defender Exploit Guard, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
|
||||
|
||||
Exclusions will only be applied to certain rules. Some rules will not honor the exclusion list. This means that even if you have added a file to the exclusion list, some rules will still evaluate and potentially block that file if the rule determines the file to be unsafe.
|
||||
|
||||
>[!IMPORTANT]
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: andreabichsel
|
||||
ms.author: v-anbic
|
||||
ms.date: 04/30/2018
|
||||
ms.date: 05/17/2018
|
||||
---
|
||||
|
||||
|
||||
@ -59,7 +59,8 @@ You can add additional folders to be protected, but you cannot remove the defaul
|
||||
|
||||
Adding other folders to Controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults.
|
||||
|
||||
You can also enter network shares and mapped drives, but environment variables and wildcards are not supported.
|
||||
You can also enter network shares and mapped drives. Windows 10, version 1803 supports environment variables and wildcards. For information about using wildcards in Windows Defender Exploit Guard, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
|
||||
|
||||
|
||||
You can use the Windows Defender Security Center app or Group Policy to add and remove additional protected folders.
|
||||
|
||||
@ -86,8 +87,8 @@ You can use the Windows Defender Security Center app or Group Policy to add and
|
||||
|
||||
6. Double-click the **Configured protected folders** setting and set the option to **Enabled**. Click **Show** and enter each folder.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> Environment variables and wildcards are not supported.
|
||||
> [!NOTE]
|
||||
> Windows 10, version 1803 supports environment variables and wildcards. For information about using wildcards in Windows Defender Exploit Guard, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
|
||||
|
||||
|
||||
### Use PowerShell to protect additional folders
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: andreabichsel
|
||||
ms.author: v-anbic
|
||||
ms.date: 04/30/2018
|
||||
ms.date: 05/17/2018
|
||||
---
|
||||
|
||||
|
||||
@ -36,7 +36,7 @@ ms.date: 04/30/2018
|
||||
- Configuration service providers for mobile device management
|
||||
|
||||
|
||||
Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
|
||||
Available in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
|
||||
|
||||
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: andreabichsel
|
||||
ms.author: v-anbic
|
||||
ms.date: 04/30/2018
|
||||
ms.date: 05/17/2018
|
||||
---
|
||||
|
||||
|
||||
@ -36,7 +36,7 @@ ms.date: 04/30/2018
|
||||
- Configuration service providers for mobile device management
|
||||
|
||||
|
||||
Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
|
||||
Available in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
|
||||
|
||||
This topic describes how to enable Network protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM).
|
||||
|
||||
|
||||
@ -37,7 +37,7 @@ ms.date: 04/30/2018
|
||||
|
||||
|
||||
|
||||
Attack surface reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md).
|
||||
Available in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md).
|
||||
|
||||
This topic helps you evaluate Attack surface reduction. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization.
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: andreabichsel
|
||||
ms.author: v-anbic
|
||||
ms.date: 04/30/2018
|
||||
ms.date: 05/17/2018
|
||||
---
|
||||
|
||||
# Evaluate Network protection
|
||||
@ -36,7 +36,7 @@ ms.date: 04/30/2018
|
||||
|
||||
|
||||
|
||||
Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
|
||||
Available in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
|
||||
|
||||
It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: andreabichsel
|
||||
ms.author: v-anbic
|
||||
ms.date: 04/30/2018
|
||||
ms.date: 05/17/2018
|
||||
---
|
||||
|
||||
|
||||
@ -36,7 +36,7 @@ ms.date: 04/30/2018
|
||||
- Configuration service providers for mobile device management
|
||||
|
||||
|
||||
Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
|
||||
Available in Windows 10 Enterprise, Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
|
||||
|
||||
It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: andreabichsel
|
||||
ms.author: v-anbic
|
||||
ms.date: 04/30/2018
|
||||
ms.date: 05/17/2018
|
||||
---
|
||||
|
||||
# Troubleshoot Attack surface reduction rules
|
||||
@ -45,7 +45,7 @@ There are four steps to troubleshooting these problems:
|
||||
Attack surface reduction (ASR) will only work on devices with the following conditions:
|
||||
|
||||
>[!div class="checklist"]
|
||||
> - Endpoints are running Windows 10 Enterprise edition, version 1709 (also known as the Fall Creators Update).
|
||||
> - Endpoints are running Windows 10 Enterprise E5, version 1709 (also known as the Fall Creators Update).
|
||||
> - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
|
||||
> - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
|
||||
> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules).
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: andreabichsel
|
||||
ms.author: v-anbic
|
||||
ms.date: 12/12/2017
|
||||
ms.date: 05/17/2018
|
||||
---
|
||||
|
||||
# Troubleshoot Network protection
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user