From e078156b9d96439f90c15a429b4a91d94796eb63 Mon Sep 17 00:00:00 2001
From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com>
Date: Wed, 6 Feb 2019 12:29:42 -0800
Subject: [PATCH] Added more description to Outlook and Adobe asr rules.

---
 .../attack-surface-reduction-exploit-guard.md | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 0c63e58ce9..69fa1dad4e 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -17,7 +17,7 @@ ms.author: v-anbic
 
 **Applies to:**
 
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
 Attack surface reduction rules help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. 
 
@@ -53,7 +53,7 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3
 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
-Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
+Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
 Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 
 The rules apply to the following Office apps:
@@ -105,7 +105,7 @@ GUID: 3B576869-A4EC-4529-8536-B80A7769E899
 
 ### Rule: Block Office applications from injecting code into other processes
 
-Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. 
+Office apps, including Word, Excel, or PowerPoint, will not be able to inject code into other processes. 
 
 This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
 
@@ -146,7 +146,7 @@ GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
 
 Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system.
 
-This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. 
+This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. This includes Word, Excel, PowerPoint, and OneNote.
 
 Intune name: Win32 imports from Office macro code
 
@@ -224,11 +224,14 @@ SCCM name: Block untrusted and unsigned processes that run from USB
 
 GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
 
-### Rule: Block Office communication applications from creating child processes
+### Rule: Block Office communication application from creating child processes
 
-Office communication apps will not be allowed to create child processes. This includes Outlook.
+This rule prevents Outlook from creating child processes, including launching an app when a user double-clicks an attachment. 
 
-This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
+This is a typical malware behavior, especially for macro-based attacks that attempt to use Outlook to launch or download malicious executables.
+
+>[!NOTE]
+>This rule applies to Outlook only.
 
 Intune name: Not applicable
 
@@ -240,6 +243,8 @@ GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
 
 This rule blocks Adobe Reader from creating child processes.
 
+This helps protect against heap-based buffer overflow vulnerabilities in PDF files, which attackers could use to launch malicious code. It also mitigates against potential JavaScript and Adobe Flash engine vulnerabilities that could allow attackers to insert and execute malicious code in PDF documents.
+
 Intune name: Not applicable
 
 SCCM name: Not applicable