From e93e0546d787a54eac7437ad4744484686ab0ce8 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Mon, 14 Aug 2017 18:13:31 -0700 Subject: [PATCH] eval changes --- .../attack-surface-reduction-exploit-guard.md | 283 ++++++++++++++--- .../audit-windows-defender-exploit-guard.md | 28 ++ .../controlled-folders-exploit-guard.md | 91 ++++-- .../evaluate-attack-surface-reduction.md | 290 ++++++++---------- .../evaluate-controlled-folder-access.md | 5 + .../images/asr-notif.png | Bin 0 -> 14027 bytes .../images/asr-rules-gp.png | Bin 0 -> 31409 bytes 7 files changed, 469 insertions(+), 228 deletions(-) create mode 100644 windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md create mode 100644 windows/threat-protection/windows-defender-exploit-guard/images/asr-notif.png create mode 100644 windows/threat-protection/windows-defender-exploit-guard/images/asr-rules-gp.png diff --git a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 670f31b22a..3895a112b8 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -14,8 +14,7 @@ ms.author: iawilt --- - -# Windows Defender Exploit Guard +# Reduce the attack surface with Windows Defender Exploit Guard **Applies to:** @@ -32,61 +31,249 @@ ms.author: iawilt - Group Policy - PowerShell - Windows Management Instrumentation (WMI) -- System Center Configuration Manager - Microsoft Intune - Windows Defender Security Center app -Windows Defender Exploit Guard is a new collection of tools and features that help you keep your network safe from exploits. Exploits are infection vectors for malware that rely on vulnerabilities in software. + -You can use Windows Defender EG to: +## Requirements -- Apply exploit mitigation techniques to apps your organization uses, both individually and to all apps, with [Exploit Protection](exploit-protection-exploit-guard.md) -- Reduce the attack surface that exploits can leverage, by utlizing rules that go beyond standard host-intrusion prevention systems (HIPS) with [Attack Surface Reduction rules](attack-surface-reduction-exploit.guard.md) -- Extend the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity outside of the browser with [Network Protection](network-protection-exploit-guard.md) -- Protect files in key system folders from changes made by malicious and suspicious apps with [Controlled Folder Access](controlled-folders-exploit-guard.md) +The following requirements must be met before Attack Surface Reduction will work: -Evaluate Windows Defender EG with our evaluation and set-up guide, which provides a pre-built PowerShell script and testing tool so you can see the new features in action: -- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md) - -You can also [enable audit mode](audit-mode-exploit-guard.md) for Windows Defender EG, which provides with reporting and event logs that indicate how the feature would have responded if it had been fully enabled. This can be useful when evaluating the impact of Windows Defender EG and to help determine the impact of the features on your network's security. - -Windows Defender EG is a component of the new Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies. Other components of Windows Defender Advanced Threat Protection include: - - [The Windows Defender ATP console](../windows-defender-atp/windows-defender-advanced-threat-protection.md) -- [Windows Defender Antivirus in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) - - [Windows Defender SmartScreen] - - [Windows Defender Device Guard] - - [Windows Defender Application Control] - - Each of the features in Windows Defender EG have slightly different requirements: - - Feature | Minimum Windows 10 Insider Preview build | Windows Defender Antivirus | Windows Defender Advanced Threat Protection license - -|-|-|- - Exploit Protection | 16232 | No requirement | Required for reporting in the Windows Defender ATP console - Attack Surface Reduction | 16232 | Must be enabled | Required - Network Protection | not released | Must be enabled | Required for reporting in the Windows Defender ATP console - Controlled Folder Access | 16232 | Must be enabled | Required for reporting in the Windows Defender ATP console - -> [!NOTE] -> Each feature's requirements are further described in the individual topics in this library. - - The way in which the features can be managed, configured, and reported on also varies: - - Feature | Configuration available with | Reporting available with - -|-|- - Exploit Protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, PowerShell, Windows Defender Security Center | Windows Event logs - Attack Surface Reduction | Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center | x - Network Protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center | x - Controlled Folder Access | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center | x +Windows 10 version | Windows Defender Antivirus +Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled - ## In this library -Topic | Description ----|--- -[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard) | Exploit Protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once. -[Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit.guard.m) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as macro, script, PowerShell, USB, and Flash security policies and configuration. -[Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors, and set up reporting for suspicious activity. -[Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (such as ransomware malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data. +## Enable Attack Surface Reduction rules + +You can use Group Policy to configure the state or mode for each rule. This can be useful if you only want to enable some rules, or you want to enable rules individually in audit mode. + +For further details on how audit mode works, and when you might want to use it, see the [auditing Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction**. + +6. Double-click the **Configure Attack Surface Reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section: + - Click **Show...** and enter the Rule ID in the **Value name** column and your desired state in the **Value** column as follows: + - Block mode = 1 + - Disabled = 0 + - Audit mode = 2 + + + ![](images/asr-rules-gp.png) + +>[!NOTE] +>Rule IDs willl be populated on machines that are enrolled in an E5 license. These machines will also properly report their Attack Surface Reduction rule history in the Windows Defender Security Center web console. + + +>[!NOTE] +>The tool reveals the RuleIDs. How will the IDs be hidden/how will the experience differ without an E5? + + + +## Exclude files and folders + +You can exclude files and folders from being evaluated by Attack Surface Reduction rules. You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the files should be excluded from individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode). + + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction**. + +6. Double-click the **Exclude files and paths from Attack Surface Reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. + + + + +## Review Attack Surface Reduction events in Windows Event Viewer + +You can also review the Windows event log to see the events there were created when using the tool: + +1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. + +2. On the left panel, under **Actions**, click **Import custom view...** + +3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [download the XML directly](scripts/asr-events.xml). + +4. Click **OK**. + +5. This will create a custom view that filters to only show the following events related to Attack Surface Reduction: + + Event ID | Description +-|- +5007 | Event when settings are changed +1122 | Event when rule fires in Audit-mode +1121 | Event when rule fires in Block-mode + + + + +## MDM policy settings for Controlled Folder Access + +./Vendor/MSFT/Policy/Config/Defender/EnableGuardMyFolders + +## Audit/block modes + +Controlled Folder Access has mitigations that can be individually enabled in audit or blocking mode. + +Component |Description |Rule/mitigation description | +-|-|-|- +Controlled Folder Access |Automatically blocks access to content to protected folders. - This can be enabled in audit/block mode |Protected folders |Folders that are shielded by this component. +| | | Allowed apps |Apps that are allowed to write into protected folders + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +### Audit/block modes + +Each of these components can individually be enabled in audit or blocking mode. + +Attack Surface Reduction and Controlled Folder Access also have mitigations that can be individually enabled in audit or blocking mode. + +Component |Description |Rule/mitigation description | +-|-|-|- +Attack Surface Reduction (ASR) | Provides rules that allow you to prevent macro, script and email threats. - Each rule can be enabled in audit/block mode - Supports file/folder exclusions applied to all rules |Rules to prevent macro threats |Block office application from creating executable content +| | | | Block obfuscated js/vbs/ps/macro code +| | | | Block office application from launching child processes +| | | | Block office application from injecting into other processes +| | | | Block Win32 imports from macro code in Office +| | | Rules to prevent script threats |Block js/vbs from executing payload downloaded from Internet +| | | | Block obfuscated js/vbs/ps/macro code +| | | Rules to prevent email threats |Block execution of executable content (exe, dll, ps, js, vbs, etc) dropped from email (webmail/mail-client). + + +## Policy settings for Windows Defender EG + +The MDM policy settings for Windows Defender EG are listed in this section, along with example settings. + + +### Attack Surface Reduction + +- ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions +- ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules +-- Value as String Data Type : {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}:1 + + +#### Rule-GUIDs for ASR + +Rule description | GUIDs +-|- +Office rules | +Block office application from injecting into other processes | {75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84} + | OMA URI : “./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules” + | Value as String Data Type : {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}:1 + | 1 = Block, 2 = Audit, 0 = Disabled. +Block office application/macros from creating executable content | {3b576869-a4ec-4529-8536-b80a7769e899} + | Replace the above GUID with the corresponding Rule GUID +Block office application from launching child processes | {d4f940ab-401b-4efc-aadc-ad5f3c50688a} + | Replace the above GUID with the corresponding Rule GUID +Block Win32 imports from Macro code in Office | {92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B} + | Replace the above GUID with the corresponding Rule GUID +Block obfuscated js/vbs/ps/macro code | {5beb7efe-fd9a-4556-801d-275e5ffc04cc} + | Replace the above GUID with the corresponding Rule GUID +Script rules | +Block obfuscated js/vbs/ps/macro code | {5beb7efe-fd9a-4556-801d-275e5ffc04cc} + | Replace the above GUID with the corresponding Rule GUID [Note: same rule as above, but also covers scripts hence written here] +Block js/vbs from executing payload downloaded from Internet. | {d3e037e1-3eb8-44c8-a917-57927947596d} + | Replace the above GUID with the corresponding Rule GUID +Email rule | +Block execution of executable content (exe, dll, ps, js, vbs, etc) dropped from email (webmail/mail-client). | be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 + | Replace the above GUID with the corresponding Rule GUID [Currently working for Mail-client (Outlook). Personal Webmail (Outlook.com, Gmail, Yahoo) work in progress] + + + + + +### Manually enabling the Attack Surface Reduction rules + +You can also manually use GP or MDM-URIs to enable the ASR rules: + +From the rules tables above, choose the ASR rules that you want to enable and set the following policy. For each rule select the right GUID. + +After you’ve chosen your rules, use one of the tools above to simulate a rule to fire. +- “./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules” +- Value as String Data Type: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}:2 + + +### View event logs + +Note: event logs are not the primary mechanism for investigation. The Windows Defender ATP portal receives much richer information that allows for investigation. Information is also presented in an interactive machine-timeline view. + + +#### Event fields +- **ID**: matches with the Rule-ID that triggered the block/audit. +- **Detection time**: Time of detection +- **Process Name**: The process that performed the “operation” that was blocked/audited +- **Description**: + +Windows Defender Antivirus has audited an operation that is not allowed by your IT administrator. + +For more information please contact your IT administrator. +-- ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A +-- Detection time: 2017-06-21T11:52:29.062Z +-- User: SYSTEM +-- Path: C:\Windows\System32\notepad.exe +-- Process Name: C:\Program Files\Microsoft Office\Office16\winword.exe +-- Signature Version: 1.245.730.0 +-- Engine Version: 1.1.13902.0 +-- Product Version: 4.12.16228.1000 + + +### View the alert notification + +If you configure the test to block, a notification will be displayed from the Action Center. This notification is customizable with your organization and contact information. + + +## Customize the notification + +Customizing the Windows Defender Security Center is a simple task that provides users with a clear way to contact support. +Simply navigate in Group Policy to **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Security Center\Enterprise Customization**. From there, you will be able to enable your custom notification, set your organization name and contact information. diff --git a/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md new file mode 100644 index 0000000000..f21450a54f --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md @@ -0,0 +1,28 @@ +--- +title: +description: +keywords: +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +ms.author: iawilt +--- + + +# Use audit mode to evaluate Windows Defender Exploit Guard features + + +You can enable each of the features of Windows Defender Explot Guard in auditing mode. This lets you see a record of what *would* have happened if you had enabled the feature. + +You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period. + +This topic lists the auditing functionality available for each feature, the management tools (Group Policy, Intune, MDM CSPs, System Center Configuration Manager, or PowerShell) that can be used to configure and deploy the setting to multiple machines in your network(s), and links to configuring each feature or setting. + + + + diff --git a/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md index c119518f4a..14a5a0a94a 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md @@ -54,8 +54,16 @@ The following requirements must be met before Controlled Folder Access will work Windows 10 version | Windows Defender Antivirus Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled +## Enable Controlled Folder Access -**Use the Windows Defender Security app to enable Controlled Folder Access:** +You can enable Controlled Folder Access with either the Windows Defender Security Center app or Group Policy. You can also set the feature to audit mode. Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine. + +For further details on how audit mode works, and when you might want to use it, see the [auditing Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). + + +For further details on how audit mode works, and when you might want to use it, see the section [Use auditing mode to measure impact](#use-auditing-mode-to-measure-impact). + +### Use the Windows Defender Security app to enable Controlled Folder Access 1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. @@ -67,7 +75,7 @@ Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows De ![](images/cfa-on.png) -**Use Group Policy to enable Controlled Folder Access:** +### Use Group Policy to enable Controlled Folder Access 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -88,23 +96,30 @@ Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows De >[!IMPORTANT] >To fully enable the Controlled Folder Access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu. +### Use PowerShell to enable Controlled Folder Access + + +### Use MDM CSPs or Intune to enable Controlled Folder Access + + +### Use System Center Configuration Manager to enable Controlled Folder Access + + ## Protect additional folders - Adding other folders to Controlled Folder Access can be handy, for example, if you don’t store files in the default Windows libraries or you’ve changed the location of the libraries away from the defaults. - Controlled Folder Access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop. You can add additional folders to be protected, but you cannot remove the default folders in the default list. - - -Click Protected folders in the Controlled Folder Access area and enter the full path of the folder you want to monitor. +Adding other folders to Controlled Folder Access can be useful, for example, if you don’t store files in the default Windows libraries or you’ve changed the location of the libraries away from the defaults. You can also enter network shares and mapped drives, but environment variables and wildcards are not supported. -**Use the Windows Defender Security app to protect additional folders:** +You can use the Windows Defender Security Center app or Group Policy to add and remove additional protected folders. + +### Use the Windows Defender Security app to protect additional folders 1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. @@ -119,7 +134,7 @@ You can also enter network shares and mapped drives, but environment variables a ![](images/cfa-prot-folders.png) - **Use Group Policy to protect additional folders:** +### Use Group Policy to protect additional folders 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -131,16 +146,27 @@ You can also enter network shares and mapped drives, but environment variables a 6. Double-click the **Configured protected folders** setting and set the option to **Enabled**. Click **Show** and enter each folder as Value? Or Value Name? - > [!IMPORTANT] > Environment variables and wildcards are not supported. + +### Use PowerShell to protect additional folders + + +### Use MDM CSPs or Intune to protect additional folders + + +### Use System Center Configuration Manager to protect additional folders + + + ## Allow specifc apps to make changes to controlled folders You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you’re finding a particular app that you know and trust is being blocked by the Controlled Folder Access feature. +You can use the Windows Defender Security Center app or Group Policy to add and remove apps that should be allowed to access protected folders. -**Use the Windows Defender Security app to whitelist specific apps:** +### Use the Windows Defender Security app to whitelist specific apps 1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. @@ -154,7 +180,7 @@ You can specify if certain apps should always be considered safe and given write ![](images/cfa-allow-app.png) - **Use Group Policy to whitelist specific apps:** +### Use Group Policy to whitelist specific apps 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -167,20 +193,43 @@ You can specify if certain apps should always be considered safe and given write 6. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app as Value? Or Value Name? what are the requirements? Have to be exe? Do you have to enter fully qualified path, or will it apply to any .exe with that name? -## Review event logs for Controlled Folder Access -Component | Configuration available with | Event ID | Corresponds to… --|-|-|- -Controlled Folder access | GP, MDM & UI | Provider: Windows Defender | -| | | Event when settings are changed | -| | | Event when CFA fires in Audit-mode | -| | | Event when CFA fires in Block-mode | +### Use PowerShell to whitelist specific apps -## MDM policy settings for Controlled Folder Access - +### Use MDM CSPs or Intune to whitelist specific apps ./Vendor/MSFT/Policy/Config/Defender/EnableGuardMyFolders +### Use System Center Configuration Manager to whitelist specific apps + + + +## Review Controlled Folder Access events in Windows Event Viewer + +You can also review the Windows event log to see the events there were created when using the tool: + +1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. + +2. On the left panel, under **Actions**, click **Import custom view...** + +3. Navigate to the Exploit Guard Evaluation Package, and select the file *cfa-events.xml*. Alternatively, [download the XML directly](scripts/cfa-events.xml). + +4. Click **OK**. + +5. This will create a custom view that filters to only show the following events related to Controlled Folder Access: + +Event ID | Description +-|- +5007 | Event when settings are changed +1124 | Audited Controlled Folder Access event +1123 | Blocked Controlled Folder Access event + + + + + + + ## Audit/block modes Controlled Folder Access has mitigations that can be individually enabled in audit or blocking mode. diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md index 49dc3eb9e9..e5a4563ded 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md +++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -20,8 +20,8 @@ Attack Surface Reduction is a feature that is part of Windows Defender Exploit G This topic helps you evaluate Attack Surface Reduction. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organisation. ->[NOTE] ->This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. +>[!NOTE] +>This topic uses a customized testing tool and PowerShell cmdlets to make it easy to enable the feature and test it. >For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md). @@ -40,34 +40,148 @@ When you run a scenario, you will see what the scenario entails, what the rule i ![](images/asr-test-tool.png) +Each scenario creates a fake or sample file or behavior that the rule would target and, if the rule was enabled, block from running. -### Rule 1 +>[!IMPORTANT] +>The settings you change while using this tool will be cleared when you close the tool. If you want to test the feature in a production environment, you should consider using [auditing mode to measure impact](#use-auditing-mode-to-measure-impact), or see the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md). + +**Run a rule using the demo tool:** + +1. Open the Exploit Guard Evaluation Package and copy the file *ExploitGuard ASR test tool* to a location on your PC that is easy to access (such as your desktop). + +2. Run the tool by double-clicking the version that matches your operating system - either 64-bit (x64) or 32-bit (x86). If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**. + + + >[!IMPORTANT] + >Make sure you use the version of the tool that is appropriate for the machine you are using. Use the x86 version for 32-bit versions of Windows 10, or use the x64 version for 64-bit versions of Windows 10. + +3. Select the rule from the drop-down menu. + +4. Select the mode, **Disabled**, **Block**, or **Audit**. + 1. Optionally, click **Show Advanced Options** and choose a specific scenario (or all scenarios sequentially by selecting **All Scenarios**), enter a delay, or click **Leave Dirty**. + +5. Click **RunScenario**. + +The scenario will run, and an output will appear describing the steps taken. + +You can right-click on the output window and click **Open Event Viewer** to see the relevant event in Windows Event Viewer. + +>[!TIP] +>You can click **Save Filter to Custom View...** in the Event Viewer to create a custom view so you can easily come back to this view as you continue to evaluate rules. + +>[!NOTE] +>What does leave dirty do? Does delay work? -### Rule 2 +Choosing the **Mode** will change how the rule functions: + +Mode option | Description +-|- +Disabled | The rule will not fire and no event will be recorded. This is the same as if you had not enabled Attack Surface Reduction at all. +Block | The rule will fire and the suspicious behavior will be blocked from running. An event will be recorded in the event log. This is the same as if you had enabled Attack Surface Reduction. +Audit | The rule wil fire, but the suspicious behavior will **not** be blocked from running. An event will be recorded in the event log as if the rule did block the behavior. This allows you to see how Attack Surface Reduction will work but without impacting how you use the machine. + +Block mode will cause a notification to appear on the user's desktop: + +![](images/asr-notif.png) + +You can [modify the notification to display your company name and links](attack-surface-reduction-exploit-guard.md#customize-the-notification) for users to obtain more information or contact your IT help desk. + +For further details on how audit mode works, and when you might want to use it, see the [auditing Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). + +The following sections describe what each rule does and what the scenarios entail for each rule. + +### Rule: Block executable content from email client and webmail + + +This rule blocks certain files from being run or launched from an email. You can specify an individual scenario, based on the category of the file type or whether the email is in Microsoft Outlook or web mail. + +The following table describes the category of the file type that will be blocked and the source of the email for each scenario in this rule: + +Scenario name | File type | Program +- | - | - +Random | A scenario will be randomly chosen from this list | Microsoft Outlook or web mail +Mail Client PE | Executable files (such as .exe, .dll, or .scr) | Microsoft Outlook +Mail Client Script | Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) | Microsoft Outlook +Mail Client Script Archive | Script archive files (such as .????) | Microsoft Outlook +WebMail PE | Executable files (such as .exe, .dll, or .scr) | Web mail, such as ??? (only outlook/hotmail? Or anything? Any browser or only Edge/IE?) +WebMail Script | Script files (such as a PowerShell .ps, VBScript .vbs, or JavaScript .js file) | Web mail +WebMail Script Archive | Script archive files (such as .????) | Web mail + + +>[!NOTE] +>What is a script archive file? + + +### Rule: Block Office applications from creating child processes + +>[!NOTE] +>There is only one scenario to test for this rule. + +Office apps, such as Word or Excel, will not be allowed to create child processes. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. + +>[!NOTE] +>Note sure if this accurate + +### Rule: Block Office applications from creating executable content + +This rule targets typical behaviors used by suspicious and malicious add-ons and scripts that create or launch executable files. This is a typical malware spreading and infection technique. + +The following scenarios can be individually chosen: + +- Random + - A scenario will be randomly chosen from this list +- Extension Block + - Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features. +- MZ Block + - ??? + + +>[!NOTE] +>Note sure if this accurate -### Rule 3 +### Rule: Block Office applications from injecting into other processes + + +>[!NOTE] +>There is only one scenario to test for this rule. + + +Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines. -### Rule 4 +### Rule: Impede JavaScript and VBScript to launch executables + +JavaScript and VBScript scripts can be used by malware to launch other malicious apps. This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines. + +- Random + - A scenario will be randomly chosen from this list +- JScript + - JavaScript will not be allowed to launch executable files +- VBScript + - VBScript will not be allowed to launch executable files -### Rule 5 - - - -### Rule 6 - - +### Rule: Block execution of potentially obfuscated scripts + +Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. This rule prevents scripts that appear to be obfuscated from running. +- Random + - A scenario will be randomly chosen from this list +- AntiMalwareScanInterface + - This scenario uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script +- OnAccess + - Potentially obfuscated scripts will be blocked when an attempt is made to run them +>[!NOTE] +>Note sure if this accurate @@ -105,9 +219,10 @@ To enable audit mode, use the following PowerShell cmdlet: Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode ``` +This enables all Attack Surface Reduction rules in audit mode. >[!TIP] ->If you want to fully audit how Attack Surface Redurction will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). +>If you want to fully audit how Attack Surface Reduction will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md). @@ -122,6 +237,8 @@ See the following sections in the main [Use Attack Surface Reduction rules](cont - [Configure rules individually](attack-surface-reduction-exploit-guard.md#configure-rules-individually) +## Related topics +- [Attack Surface ] @@ -133,148 +250,3 @@ See the following sections in the main [Use Attack Surface Reduction rules](cont - - -## Attack Surface Reduction rules - - - - -### Audit/block modes - -Each of these components can individually be enabled in audit or blocking mode. - -Attack Surface Reduction and Controlled Folder Access also have mitigations that can be individually enabled in audit or blocking mode. - -Component |Description |Rule/mitigation description | --|-|-|- -Attack Surface Reduction (ASR) | Provides rules that allow you to prevent macro, script and email threats. - Each rule can be enabled in audit/block mode - Supports file/folder exclusions applied to all rules |Rules to prevent macro threats |Block office application from creating executable content -| | | | Block obfuscated js/vbs/ps/macro code -| | | | Block office application from launching child processes -| | | | Block office application from injecting into other processes -| | | | Block Win32 imports from macro code in Office -| | | Rules to prevent script threats |Block js/vbs from executing payload downloaded from Internet -| | | | Block obfuscated js/vbs/ps/macro code -| | | Rules to prevent email threats |Block execution of executable content (exe, dll, ps, js, vbs, etc) dropped from email (webmail/mail-client). - - -## Policy settings for Windows Defender EG - -The MDM policy settings for Windows Defender EG are listed in this section, along with example settings. - - -### Attack Surface Reduction - -- ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions -- ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules --- Value as String Data Type : {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}:1 - - -#### Rule-GUIDs for ASR - -Rule description | GUIDs --|- -Office rules | -Block office application from injecting into other processes | {75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84} - | OMA URI : “./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules” - | Value as String Data Type : {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}:1 - | 1 = Block, 2 = Audit, 0 = Disabled. -Block office application/macros from creating executable content | {3b576869-a4ec-4529-8536-b80a7769e899} - | Replace the above GUID with the corresponding Rule GUID -Block office application from launching child processes | {d4f940ab-401b-4efc-aadc-ad5f3c50688a} - | Replace the above GUID with the corresponding Rule GUID -Block Win32 imports from Macro code in Office | {92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B} - | Replace the above GUID with the corresponding Rule GUID -Block obfuscated js/vbs/ps/macro code | {5beb7efe-fd9a-4556-801d-275e5ffc04cc} - | Replace the above GUID with the corresponding Rule GUID -Script rules | -Block obfuscated js/vbs/ps/macro code | {5beb7efe-fd9a-4556-801d-275e5ffc04cc} - | Replace the above GUID with the corresponding Rule GUID [Note: same rule as above, but also covers scripts hence written here] -Block js/vbs from executing payload downloaded from Internet. | {d3e037e1-3eb8-44c8-a917-57927947596d} - | Replace the above GUID with the corresponding Rule GUID -Email rule | -Block execution of executable content (exe, dll, ps, js, vbs, etc) dropped from email (webmail/mail-client). | be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - | Replace the above GUID with the corresponding Rule GUID [Currently working for Mail-client (Outlook). Personal Webmail (Outlook.com, Gmail, Yahoo) work in progress] - - - - ## Evaluate - -### Using the standalone configuration tool - -We’ve provided an easy-to-use configuration tool for testing purposes, called TestHIPS. The tool can be used to: - -1. Enable the chosen ASR rule in either block or audit mode by creating a local GPO and running a test file that triggers the rule. - -2. Enable the chosen ASR rule in either block or audit mode by creating a local GPO. - -The result of the activity can be viewed in the event log and corresponding notification (if the rule was triggered in block mode). - -You can find the tool in the evaluation package alongside this guide: -- ExploitGuardCustomerFiles/AntiMalware.Tools.TestHIPS.exe -- -Note: You may need to change the extension in the filename from **AntiMalware.Tools.TestHIPS.rename** to **AntiMalware.Tools.TestHIPS.exe**. - -For additional help with the tool, use the “-?” parameter. - - -### Using the DemoExploitGuard tool to simulate WD-EG Rules with a GUI - -You can use an additional tool, called DemoExploitGuard, to test various rules by simulating scenarios that would cause the rule to issue a block or audit event, depending on the mode. DemoExploitGuard uses the TestHIPS tool to enable and configure the rules. - -You can find the tool in the evaluation package alongside this guide: -- ExploitGuardCustomerFiles\AntiMalware.Tools.DemoExploitGuard.exe - -Note: You may need to change the extension in the filename from **AntiMalware.Tools.DemoExploitGuard.rename** to **AntiMalware.Tools.DemoExploitGuard.exe** -**Rules**: Select one of the seven Attack Surface Reduction rules to run. -**Mode**: Sets the behavior of the Demo Tool. -Note: If the rule is applied by GP, this should not be an option -- **Disabled**: This scenario will execute normally and complete -- **Block**: This scenario should get blocked [ExploitGuard Block] and a notification will appear to indicate the block -- **Audit**: This scenario will not block, but will show up in the event log. Right-click the output area to go directly to the event logs for Windows Defender EG - - -### Manually enabling the Attack Surface Reduction rules - -You can also manually use GP or MDM-URIs to enable the ASR rules: - -From the rules tables above, choose the ASR rules that you want to enable and set the following policy. For each rule select the right GUID. - -After you’ve chosen your rules, use one of the tools above to simulate a rule to fire. -- “./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules” -- Value as String Data Type: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}:2 - - -### View event logs - -Note: event logs are not the primary mechanism for investigation. The Windows Defender ATP portal receives much richer information that allows for investigation. Information is also presented in an interactive machine-timeline view. - - -#### Event fields -- **ID**: matches with the Rule-ID that triggered the block/audit. -- **Detection time**: Time of detection -- **Process Name**: The process that performed the “operation” that was blocked/audited -- **Description**: - -Windows Defender Antivirus has audited an operation that is not allowed by your IT administrator. - -For more information please contact your IT administrator. --- ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A --- Detection time: 2017-06-21T11:52:29.062Z --- User: SYSTEM --- Path: C:\Windows\System32\notepad.exe --- Process Name: C:\Program Files\Microsoft Office\Office16\winword.exe --- Signature Version: 1.245.730.0 --- Engine Version: 1.1.13902.0 --- Product Version: 4.12.16228.1000 - - -### View the alert notification - -If you configure the test to block, a notification will be displayed from the Action Center. This notification is customizable with your organization and contact information. - - -### Customizing Windows Defender - -Customizing the Windows Defender Security Center is a simple task that provides users with a clear way to contact support. -Simply navigate in Group Policy to **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Security Center\Enterprise Customization**. From there, you will be able to enable your custom notification, set your organization name and contact information. \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md index 4512197267..f3d1e5d770 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md +++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md @@ -99,6 +99,11 @@ Set-MpPreference -EnableControlledFolderAccess AuditMode >If you want to fully audit how Controlled Folder Access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [Controlled Folder Access topic](controlled-folders-exploit-guard.md). + +For further details on how audit mode works, and when you might want to use it, see the [auditing Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). + + + ## Customize protected folders and apps During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files. diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/asr-notif.png b/windows/threat-protection/windows-defender-exploit-guard/images/asr-notif.png new file mode 100644 index 0000000000000000000000000000000000000000..2f8eb025568c724714297ea58062f02dd075eb39 GIT binary patch literal 14027 zcmdsebyQW~x9>(uT0x{kKv0knk94PmfV4Cs(%oIs0tSeJbhkkxC8Z$U4I&~fDb1bd z`@8Rr7h}A4#~bgDJ1zr3_St9cwdR`h^ZCrV=805Oktf2Z#zzo@Na3E0I)YrlMGy?4 zi#Tv4d7!-se&IRZd+357#I5Lm7zrH2G;k5uRpGuY?)*g(1oMW4{Fj^mT$0swm2`8p zbZ|xrO26NOON6d)Nygm8%-PD()ylyhA;Y`I4A=3|*QFgCy_~HqEM1XelJ7!rmH3~l z&gQ1*TNz!g?97q7e@XD*6+HAS8V*lfJxra=5ktpw^z8)y3~uFOW@`$!IwMt0<#BNN zBKoq9sk6P6y#>-l^D7*#;r{FWZq8=r$liI#>VLaU+QH7w+};)0|NgoWuHm3>)3kE6 zHAnI{2G|gU5mAtl)bxC}KJBM#FkH|5r|hql&m9zN6C+WO73G7+SC|!S;)6tD*hmH4 zS#P#x-8Ib?yjd_bRW7ygK(8}{a){m9#kSzB_u#$EdOjSY-x)H|B|Mg&*`8a{WjjCl zaZl~>h5qGI|N@z7?B%a<=JP}0I*FP{Dv`{O6U9Yc(yl-SQxB7<6tOqmyN8Cykq)9wE! zS?oX4W2%^#(EEJ4KZyiJbJboXCnvvSz|53c6E2GDs-0g{6f(Kq9!5m--lX}$E#3DB z4WDh`S=r3TUQ&sNJMupP1*Ao78O0v*2c*jjQsfVqg7efw0-#C@>3XFUthne zR!%P#9-MnWnYAX2Wo@#G#L&=C_rs$$Wt~t2L4Ngj8)iB zAQE|l_l?`ccKW1Au5ojdaB^~v)wr--<tP@^BgK+(a&lvPTy<-_lreJVYD>ypU%v)+EehqWIQGj@ zT;t+WNvd>OXjkA!`)%8likbB4==ivQa4;l0o27umv+Fe{BDVRk&;46;FWN@6wY78Z zbr=%MM>>NlWIFHct7yOo*EGl-8c+Ft{P^+SYLFESdh6jwmbu}=q-lG3EiH0{k(;}h zJK+)qMP9bXI~6vta)K8uS&_YM*_C}y1y*8amc=`hm6IbYWVGVvER-@<<-mZL4CdbN z{BWB(#<6Z%(&tXA6FUcoM(058gW%!bM;~q+XB%>B(tTM^e8W8;1haUrdkb#lp^j0n zAKug8;NXz9u*mxu)7~z}!p3&I{;KWKgV$t}*OIK(1khh{u-bSA|W5P1|=Y59U2kQwuCD<)Rhwyi`(B!js&M1ipMp zT3%JP0KU-{!#@-8>7y>py%x1ez|IWrWH%pdRR^pUMSD#M6lV84k**82K zYSs}u4{!g1O<@qYvSMvJ{t;V2K_S1iv>okfjsfUEF)$!Z>14cy1gZ``=i)YtcX_JmnJHa$BV3yE*H?oPTp;M{nAx|!ft zR$8h}E&1Wux5rXOM)bF?5+o%jn|{!ZUxe81@9z(SS!XpiGSqo&%7M>Po5XZN*|gjh`t~*0h}6a)#O`eok!LogHF9sCR877}Obq|{k@u$7a9>}#uf2_p zhBs@(6VgF^lttu_l$;#S%U7=w;)APy5H5yN7)4m?6Nh6Wf4(xurRU^eC-d3iQwNId z_DRF4C6ts1_SeQkV6tnojSOH`MMg3OI_Y6AS69>=?~0tw){i!%z4Wu}s3$BPnF}W1 zLU`P-&yI~nR95o2y1F8i1R|M>&NbN!m)8yoS1D*{qQR}M^B`gl?`5Yk@v4j;oyp+1 zwYRm+ck|E2=SI3nOq!v{%=99@nD%0Hzi|jSo;;Y|^rzSpdZmzkwbFJxxTv%iUo6c* z(ZASZb0((oWRd%znZ!SEu`4mFun^zL$qAz>0ip{YW6r~bT%n*aJ3l*p!|#x4EG;zb zzA+U!KW}QKXJb<|5RHbT++0>d5)uwGdR9f@IR|#EN$wY6Z+py?T`SRO|0_YqsM%+; zK3q2Xs%-fQ`hPk`UgqknjOqkBhHm7qZ#@i7O-)s}sdKCx^z-LqS}|Wr8h(2jXJ=j^ zAt93rJxm;2*imL?=FX+ULUuH%U}Iw=ft{V53I%2Yd8%nR$Ss3v9uv{g;)j?fx87jz zWCXcJU*(i?cK$fPSY}W|ib%z392_jfnWCtH67X~WO3?l#V^hI0D2zdTse9dJTrB$TeytE^k zH)y)^t6Q=|IHDbO=MLHM@UZ84#b|qlIP#|nlY~)RoPmGFlldyQQSp%I-Mi$l*guE9 zh**H`t6}Rs4l_?rO7!9&!cfI%f4&e@?@!oleIejBf!OZ+ z%i6FiQGXri5beVH`ZP&NNhZ8+pC>01BzCo-E_CD5x=7sNg4qR}AJ2yLz>jk=tB^~W zm#a8cSaQ^Kbi%=Tel9MWu1{2qeJ~40%`R*)^7B(@X=#1!?UjeGzB-ah`{^j@aN=vs z%+e2M*4?wJt99{cgBM#!7{s2%#uBq!zn)QD?P+k#1i)f;yuU8seQr^V}TddG&Qe$^zZKOMx*50 zI~HmN2G0QCKcAl+k2Uz!#gq1pT$}RW`}=pnXZDyLc>DRQS0UhR2A=bwigSBoW^txq zb}uil&S_4)s#$+wY8sl$5Quh@mDgZZqN1Xve|1mBx%jPdxUiyv ze0h0!U>d)^zTRJF-qqfzZrZWNVBo7iQ<6xRj$GQdSuaM)-I3yl%tQhw`&EtIO@R@X zIF8>jQnZY`784X0T<^)q^g|rU+_7fwcy+1&fTu)4Mn;Ad2N!;_pkMgU_y=kUEuBDt z!1vW?^Dm1D2?@>1u9?Nfwxre+2H;Us_J5xyzFo7E>w=vxDX~-UV#$nz<+#iMiqZbr zyceI4kn!mg8KCLQ+*Q|Fg#wz({mKVllyw3vb4&Cp@VOER5Xa@5M7fGmpbd5Pm#Fn- zT!z*V5-|a*J!YmPdyo=>-H$#na&Zw)Pf!2e*pM?YFlcfO1mUBjLjj8NUvj5^WF+kK zXAwj~ODkbu+P-RX-n}ko2CKh?aexAX7qp!Aujmc$=(fyTqr=1G50Y9y->iDLxrN@h zcv__N{**{&ZMDJg7(oEsEp2TzJMFEknxn`$E{xpOtdT)|qNMG6$2xFPRqT)j&7Vk9 zX97o#`TqK3I6U^*vu7r~siKw+4jsYR1n9s4+(0DE%*^`2N^5JWflOP#Vc%Qy(gPQm zjDIvAYYb?d{do88T}wN=whZZTkZ$2+XOE8O6oQijpW4>PFh+#Docox@AM!#)hM?unk75?X>+-=2aALDL#QsPrwnj(xI- zQ=eT*^&wUj-P0WNW64}@1KIour~+*z{#jp*xBI`69i;LGZ`LD;hVE3zTyMbHPIXn* zG!7y_ON^Msdl}RodKhhx7rtT)AW&FN$qGV&5qqBg*Qdn9VrjjQOv7o4^nC%4sD-CFg)(3!mw$rubR8&-! zR#uX*JA^ox$lU&tc9UU4Lz-y1K0G`G22&sPD|f@IXp{n5y047|9d9-=fEWK>S^0uVA`*CV;ydNJ z5TpCq^ENFpE}Aak-7t2OeHAl6?Dgx{c_;}FATt1en!wu>zkFY89|DVI04Gj#|IMt3 z(`azD_snOnJ0Kd~KmJB)J6TCoq+Jr+v4FwzTHK??0OYKMzrTNz-L(JlI>d;Kt?jK! znB>%y!S3#EdVap8`hHGE28PXOsjQ?V2AV`{XB!M_)#EC;GWK;!YHFy!tFE9EDNxk^ z8zqGnl{M%ojHA_ydmWuc&pSyN1aLhBty2VXWKcCd|I{!p2Ygu=9K6ZBY+#Gtjtjl0A$XmaD|1RV1?%uQr zE(OU3t9f!xP7X3xwfTZKxf`;w-)n0!8X6j7i)~^;DJl?_&uo&fh!zb;6&Du=F2!^| zk+!xj1nZtb^i~^iH7-NKe}kJ_URnA3(;j&z;`^iLccSP+AU8Gg-I9e+giLl>o<~%a zE+r-9j(Q$w!<-L9do5yvw8Y`tNlW*t4N4J@!agho{wnV2QCW0rK_Fj?+1RjObg{B3 z*p`#};G56kW2aN_yCE(zGRUYbu9`+n4>F^^)xA!Ob*)-&@y|xwa`N&yhrnKF{?OLG z>ME3?9`;-D>S{q5rHzeE|I`#=cuNLtGz@F*Wk)SzE4|iO+w*9=vs2OhxT2!skEcj} zS(&_-mmm%=Xhl;w-z(GCO^@AxWUR065-Ay3LN9DDNMf+?*UrxE zXO?kAW4&r_gIrl+OPyU^w}pfXX_cIAwbmeCmwDGesBz1`K$Gn2mU#(qmSSy=&qifK zHflyj#0W+}d6v~25l%}yHg?k($;#YZ`ZhDvJfgO@otIstq=G*({E*i;el6>kTJ!m{ zft6;PH!SeIUWw#i>Ab;f*RRVyZ20(*lrNccjxuCmKpiw3yIc9VEfNUoF?|_%^^N7U zNxww9(Il(9{L0?mo@7_#t}qe*FBvSH6=&W%cQDXMq23@i&g}t0@Dh(3bh<)N@(#aZIeNI8C}Ck9a8Gdu$q+`)g>Bf%S|9 zRq`|rA8f3zVX@xuvYEEaTu%_R{$hk)xs_eppzT)ax9vfFVf?o~r_utEHmt6Gxa$ zL72GdqpOhnpp6CvubUk=AUt76!48?tu$K8iqq4-{Ov{e1eUxZK{RKIU_nvjZs6^Q) zuC2uJ(b4myBxd1qy1y%7)a?-Q~tQC3D`6--VxD9#-CHaw4s;d9Ga&%tY7bZ%bQf_i|A zqC8@TkvV~ETc*;VwtO_!Ha4g2cVwidRPt03^XpP9qWI{Tx947vVn~{s=NK>WkrPeN z%`u{*E?pk$sh^*pZoPMftE||dOw%L2F*5JX@O@{B((8Zdj9wdX$<58hfo;R{1WY>JU{uq{!+5IJMXS7v?nl4F>d67$k7hMdOz zQ|Y485J-MUS7l92GkCk7d^)_VHptmGTyBX#HB%~p< z3rtvwN)IfRIWA#?pw4?XK~Y{MeV3n~qsC=#X_Thq zBe#T0SDJ0d$H)Dv7_B2Gi9UV$G{19rV&6!hslqaA#j>)x`an;QJ%PElq^$Y}{vz?k zxQ+#n;+B*%(-Lj(v)F-;yyh<}+ul=F zeiv`XWaNo@v3c9Tua%(vV5F@8U9!Kmp5@Y(<(75$fUNg@T4A~gdqQHOnX9X2p-;KP z<#);x@>5YbCQKdL@$;@iIbpfL0diSR>cP*y>`p4AZhBVK_CZ8IGKY-2d>t2byOOr(Lop^31$l-aayPsWIR4tdwO*@np z9C#H(=!`vi@`OD`7bMwsmPLi$19kP_s3`oQ(NWy*OCuvAisIRzRNjx<4h-A4yH~0| z0okFbq?CYUg0Vpx4e)_i=kWJN#s?l?+~VYv_42CO4SAE0K>o4cQ78rEAfO1r!ALEz zcWZ0w4f8QuK22?H_T$2my#2d1^S}4J35khu3>q66X3FXw`fB6a*VNSf@vg_HdqYM> z#_T=q$kO4ww=%3K3XgrDs~Z8em%u$NvGbmCHwH>dwH13F%HUt$0h;@UhJKDBg_z9u zR%PYL=J|`-20)Fs6vbRu1arwFqyQbp>O9J}YYGbRV2`wm?#^xVB@+SX9yM=nY-rC2 za?=VpN*vZzRZ)OFkaqv4L^vU{d~HS6K_9|cSy|;2F@VE?`C2Sd?1La_+nyhf^z|Wi z)1{wTb?a3#=~r+*LXrUL3j~CTXjV7ov2R1ZQO>HPKz!4Ehz=lRhdwtn6uuTrHS^m2 z{lLo6jPc>ahl<=$`E>xB_V%T`oC8Kg6_D{X?i6KYT>B|_)3UM4WEI#EENtbK*o6(J zT)Vrjh}wt-LzTp=xw-jbwej0xQE?G^l3%@P436V(-cT;r{o+VsixtI{!2nsD^euomZpYRg*YoRK>W#_<=#t{&vC?{%MyHEZIN$-lU26k94DyKx37?jfK?zM( zHq?3V^~;yRkVOEKVqEmq!9^Z}tXkbux#7TYLyHuS*0iZ_+_q=Z#H4|*kDs?_m9{+c zF=8NPP{7SE@ZoL$bPi6A5t0F4&yT4s4Zi>WZQ0}o=zZlGKJbp>^JI_>Rg-idOJ!wc z)qADN%R82Kmj}UMgw?hl9{e9aeQKFWkbGh0D3SdLMV&FYoZZei@!)rJts0v~{=34X zD1LP)vcnft^&X6nptL0~dL#&GO-xQEm~is*>nK)O#>B?r)DLJTubJIcZsUCWiqoLC zQznxBLjmgm4`e<53jvnCZ?qZJZ{E7~v|}L%#Df1=*0-GS+SP`l1#t}bfA?nrHC=0LED(AT@c4;1xL{-L3vov7q)*3;_f zsX9v3RfYQUXL4Dy;NbTatRlQE9agWbM$p#Qf@e}eB1JXyHZ85}yMDd5TdNz{1#GIO zG0GTlDhTYSv)4gk_?H^lMC=Isn5aOlvvfUlxae-oJlADv0Na*>UJ`WodwJGo0zVUH9lUsRZqP>_z7p{o%PAn8% zUGs^ROE>eW{5$b(9WAnzlF5is&Yv3^jFt90<2B@>SaTOf*B;z5748GrXMFsq z{&05L^~f!4bZF>a7xEmZDRjZP=A>QDa_}NBc4tTiR=)sNGWWg<6uk#-_s!r_TG4^t zMh{XO`QRj@0T&!llFF)VreSbdlREC3!0QQbJ}5SMU|q~mXKapOWJYHV8WB56Q!AA0 zr_2YwV(-NK^u{|JSFw)lE2^TkH8s;KE43f8s&QlSxcjy_2c0os9j9i!c>bJmc-X#5 z-Vo>8|CGto9>%ftKTdkqu|wK@9nyJ^@tlNKqgD=OR8No4x@K2 z%f>>}LN~ted!qi`|0|1s)(^5I{rt?g4C%*r`7kfZ~rg6L}cJ(LesI8KeK!W4>g#?}C_==SONMrldNwc-As9;;P?L z@wtAZ^m{0z(~r%~Z#vx5%p*l7nF0bg+?I5-wG|ySH2HsKDpl6i2^UiQz6fe+pesbG zKbLOkn5vY1#ZPUstlInPg&f{;Za43(Hi`td)~=`J_4Jt>#=`Z$QGg+ea~gVj_#w^d z-*p;M9DND(`+kI({EuB-K`5FkYTTYM%MtA@KPD}fmx^aL`pjY(r&YaPWSn{(Bv7#`-s1$CMJwOAv^H(6rnGeAtEAzY6&FpWQE~EYL|#=e~03gpZ6Om?C!j8W^C$gfBT`boI1y(^cq2YAXE}U*LzCXUo-JL>=b>w>=;Qbxx&h8|VBM|-`YBjg)Jc_()EuXcUot+$l?%z!o6A*|1TH{Fb6H7w{JbsK-P*8B$f$iqa zn~(LbK}wE3S{V!v3%f)^BRubIImny&9Tpon8KVgs47`$%8o^OojXsQM8XJa`eosHI ztc<(R3>SgKb)nP@H8lHTbX98r1*ho9N!ib=npBm~ZHpsE8jgy+p4Tj>$iLqrJGR8lV^JDn9m!Jf)K9Vt|` zt*opZ1!w_6p(6K6?`-_h#~B{4quph^5(Z0?BE}2B5Wz#B-+}^F@-E+vP+)wYfO^G%W5FPWHOxp+HSqTZoq&KJ?5DQ8Gds$4 zzWJLj5NGhx0BYSLtvCGp_wVl~O9~2t2A5^DwO^OpLlXg%fo)-?IEwjF^ZvF|~#_`(vdg!;u>KE{xiic#< z3y6he=+K0Tv`Q>f)=d)w#@wRWILZ0MfG#dZPOiu-OiWGP$|3*vRPSy>rj7p3R%uc4 z50D>2hB9#UN|e2!w3Jx8Xqa2#k|+}#wbrcLiBu`!2krBViW-iW4lc)Uj|Ek(Zh6KZ zf?q0nWyn?4P20awW^D|ECI@1`paFlIuJJk#G-n0-H(EqX9FuNv#m~&lMD!Nr=CZc7 zx3hb=04+6|^@H#PzMn45KWl(Rf2=oIiUZNo$q5Y{btJC)!e!~dD+9i}UboyA+;(<3 z2#sKsFsScoWiIHI^W|lZ8Qo6k$8ATG(L?#EUmm-^``?!0_rGf`zi>H4ONN4PGnp+( z5RP@K(MO6X;eQ=0lC}Q_v&sL;w{3^MEk(Ljx^(oO)Z)v?pk(1-=Ksez>&u;A+!3c8 z$~wW2us@l}-Sow+3pm#QSNR{f_y5$|*!`yC?^?TjUf5QDf$2NXzjWDo#er z!_Z?)8Qyl&Sk__FIOlL{YfE6n4=WTK``}MjTs)jwQ!LaapOepyms1(nIb%D!IA7rV z3FjKk9(;D~hXf0K+u>I=Pj}fO;^K6EU1woAC`nB9zg=or?~T9jzHfp)n7-4_ztW=b zu%|f4zEMloQ5(l7CPvSun%X*0yf~(&$-?R4^=pxmdOLGHC$VqxSjTh5k0R0FCB3u0 z$7X)p$>EMuccE5iIdq#8>sutet}{LLhNG^)!94LV25o5ndm`iOD{_@v<%@%d_*K;1 zOUjc<+!#pd!wP)#^f`u6YnfmMvwBs;ar`J5!;zYQI!L=O z_H#I%eG#~MSIwulUN@4>VoK@h+%M-Vo$ z`!}r#4zc2BM#^xJ9G&?D9pjWgXWdW!W#q`Az{+UxH+!L>2UWtA%nJiu=tmfMOjB!4 zx#i6|LkkEr6@j^^`KLTz8TWl~Sz?CF+YQXwQE8{Y_5D-tqsNaQtMA)XJ_1`V#UC7a zmW!Ofa*k*IY_XAY9l50>6YxffU`p+&}XBbM3q4RLGtUDW}dH(%(!s# z@^Uph=`bL3_jD-iZ_c1LYEO>(4Xe+N0@|mAtvd|c|Jl_3hbq%*0j|~pKXAk+nxwFB znmcQ~%q}M-r?qegXvJ+N&P3%T8poQIHPR3B4SD;VM?oaSc#abenh%tJFk$qRKs%&? z=YzRPnu;BjRFTN3gxLto=>lG@*;P+8R4zT6nQ8n1ZF=E;qgk+P^5BYVb@XlE65`DD zIMBk>)E+~_YS82Q^Np;D4`1afs_7Ja+0O8i((|rY`z@S z+~B8r&~5xSIoj_yRl;S*rFyj|023+qa5Y&T_(ta;VL|dw{t*R!Mdm~E{FNCF;_52! zr|x{`inag#=9qca0$YMOHZo9h zr|QSzzPoub20|;mFQonJm&(JGUzwk7mNdbvpImps{X%M%w0$VPPT!#gS6bS$W1)GzrEGpsRXioWmPddw^C8=iAzl!DM&0>xo>LcR<;_O3 zYq}Gfq7>XJKJ6nLM9}YPU#j3poE9 zpz5g)@%sB6g=O~fV}h%c7s>E0JyGv(C$hBnCq~}$^6M<$K3LIVuImb9qPTS+e0NP2 zN@Q@xeDdqm&h<(F4PD#Z9Ik-VBjnt*oBz4fx9gr~;^!_>Zu5aMOi6A%m35@Z+|u6} zG8E6H{dJ!URsQFECnqyLxgVa)M@mAFs?7MPa&FZ86+@cZiTJaYKS`J_4|Hug`y7{# z>=;n2ZD84%K>N~DIFnx+`+ym)cOK|q6d;P2fDlIaXk^MpRzv$1nIYKMp}NQllpI%MUlJHbaJ>{W1fXH5Z~a1VvWBj4nx4nZD?D>M5^b*XdG8dW?Ni(#YvEZpRZK=#}D!G8!Cu}&lg@e z#YvjuiU5lP_`1#oLjUcFSTop z<#X}ny|?d#-0-10K?ZE?`6H4ot1zI=(1Ts4CCI4P0O;&sP$?i@EDd;W(XF%p^;TZu z8KvX6nz?1w;X&%Ozs@$>OiDxZ8|cvSAM}U*vzB#t_+I$>g6n%SziN^=FK_V123N7J z(_(d1S1Km#1swKA9T|%YWqDkG7hS%dGZe=;*eCIxzf;EF(-Z&Jj*f*K@rFQX=DEV)zxzV7owI7}PX&h#BJq`XgyQOt%Q=;jDcXqs!7~IVW&(NG$ZWngs9VpbOPYX*ORvrwn`#=EFPZTA(!?;XYmN9dI^2 zKN@}Sd&o;GIIyVG4rjew^}DC?iY(0V{mU+3>}#u09GA|=8S7y5kcEyoc{ka!5&e3e>}*EZebAQArryzt9NTI% z@!FrxTs`PHIO!zPmb(Eu@oO~;rbGR(aI7dpV-Ga>CNJPZM$ZC)9(u$o-R9AJ^k%Ri|9G-F69Md|oASn?V7!K8s;-B9Vtz&Lr3OH)Q zFmP57LaVL+PW+eNLxY^sd*5;1WtCXK>}Jlk|`3v$A(PtI+BKq3k|i9Xb`|6@&?^Iur{^PAAG_?Zx_=` fAUyc>?Hsr8ktpH%5b1aL%od^`t0Ge>WfJ^vkxzq9 literal 0 HcmV?d00001 diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/asr-rules-gp.png b/windows/threat-protection/windows-defender-exploit-guard/images/asr-rules-gp.png new file mode 100644 index 0000000000000000000000000000000000000000..fa6285cb5667401323b8141e42db20b7bb8b4586 GIT binary patch literal 31409 zcmb@u2UJtv(>5B#j(~!KbdaWW=^d2bJ4jcN-jv<~q5>klH|e2;UP2F5KKeGP3~kTLihh+Z#W32RnODP&wI< z1Ry2-D|NSdNf^rH>EL1m5*@2--3Daw22U7H{P*Gx9@fq;fuZi8 z#?Ja!KzxHBHh$^u>fmYz>ZDx>2V~d(Ip53O+6IKdf7tl7prfIb4nTH| zFwDTg)7b`8vW?&XftWz53QrAuzicjmJq^6tcTTnM-@Ia~%2x5iU*$Tv`zA#f%RWT2Kw{Dv@FG73m$yd=#yM6i#fx2 zn@BOlDg)C5#f6oB-zNM4(lF@r6dCzR2K=d)-up_`n~GmmpVFS4-13GLAWPHQyQ~h` z(0!)mpYE9(L8(T5lj{l%aDdg!{@tEc0l72cgH68Z)lc;%YfgzbC4nQI1`(86&#YqW z8M@eEnvcf567%9#Bd*Z_hhDHN5cBW7C&^>?if;YGZKQIOMBoZR86cN~nIep}Y%NFI zwAMTzF{;CP5%*ub3Z=PB0vxqX5RZD!ogya}L22-cN8XXzI5$F+MlfDZzUdNhKhHG# z2N9IMH^fREp0NmxcWbn*#y4CA&MVSilcJ97CHJ|)9Kds- z1OmNVzsEE5F^mS!f@rY)m^mrPm`{^?~jmynPss!RpObqY1_w4Vt% zO_g_glp$&MjvXIKs%zf7nlU!Vo%tckuNm)^I>@Fv+vay*aC9FyAx*EtVYQl5j{y!V+v;^gtyFujE;%9=6Z+UX^OkjZX!w;$NB3ayeqE&uyK%_ z!~=SIl2#Ts$mwqtO^RDWc@L9wfENN_ia@&e+2qglc1EidTm!zAeQ|F{DZ@DlNzF$S?2Ndrt*|S0x)Y zp(w)1vR_Z`S|ZfDL)aI;4Zc>klQ}#565|Pe;Oh!|o)n*+S6(h&Yijq{I>oR~pbZb- z3v(t34E!udc+rpJzrma#jB^V6n*JZzXGt!TFErqnE_rz~Opb56T8R2I;0A-6%`$=$ zg`7fgOQVqny1W)mtl;&O$|$uD@&%k1D=(YP=Y4@`FlD5qq0v~N(Yk(WI`0l8#$u|1r3){zhcMg;Zfa^H?2ab`_rZr%%3ekISa-7Eip3Cp?3|Y< zx`Pp}HGos28Zp;>x=pv>o|P2;csQFU>uiYAV(;7iV=YH{^kSWv@-?uwhp~glviq_| zQBSc167d!>XH+`bd4J`&s z+sUWrT1W8DZA4xTo@FI#s&6B)V8T-UbKiaklCEP^xjrGN`%Q zMLi{1S>b%+$R1c}cXH0ltCJV@n)USX66oEF6&;UX-B-JBzfwcr7%u70Pvp@4<_KGh zj7&{B9=?6?YjSv?eX&B_DyWbv$7+)C?6!%Jm6c_Bp`V9^d(cs+TKm$}Zt|~h(WKz= z#1EmScQ@Y8ioRc}Qlh23zY7j%=TugX@g+`lH+C^vc4yIndb;~WYF)Dw1W&j+3i=>9 zm+8dU%_yC|em%3hug0Oh;yYOX9!pu_>7>G#lXOenBdOq7>47x~&!}!pDFppzo09%9 zx52OPiAAf6`}O)+JTzsbf~neVANec#Ze{af#%c5YZBr z4_pQo7HBS238?;{x}hoD=vK=eq5KB%Nw{(=+cLW+S5}?)8J35Kx5CJ)vqPJupiKR<5N_N0_lrt0GD8O_p(i?SDMe_%G~=d9%~&hkYLJ7kL4qM;keGT7_$bso+oaZ100TQy zS2b#ue&TwIU+j_mXQ|S_Z)0&9EMnq=u>9RmSR&d#j>xR`&`4r~5?(h|z4B8I`LHl| z!>#vn`z|Jj6ZyOTTu=VX{WAU){N*?kXlItI|oH0Z^G zl$57xBOs9AL&TSK713KD2rKH|&kwj*Pk(;pV_fSkFg_yK;0W$DfRD_C`67vCn;X^b zMsOw^XQQQ6JLR~OVnJ-r+hYHK>yr}!rj3jKPDw@{^?{0cTHf^~6XwH99S24+n&J|r zIDP9XpDb>JuGhQ>cjp0Wsr-WCb4~AbR}yD^*X`VE7xx{Du^(J%>84_|pkDk?4&d9CM=zBNm^&EORA!Kqlsn?dP-);n99F1zz?vGMN$W*WZp%Dk*Ar3M@xMBCBiSr;YUigXwFAf~i5X6#9rFz^&j|@Z{pg_UL4= z2*t&@qImGt3+4_!g&ArPB+=kJE8REfV#7-L;-zMANjjQwO2NO*m;B^Db8J7w(VNzV zr({5smpWJ&AAgsGjBMlL7&W~zoN3)~7Q88uPuuQSm-5<7c(+h7b-{HQ7KKI_r(!Ul z42yAdgIGqvTmcm zYM{JvQsK+tsp4W8M07(ljo4PwOY@{ZQvo~h%%N@e&B<|=u8zUWz>Qv*vcmpswsPT3 zdxK9yvD!Jvoke^FZ=i5_Rro@N3v4YIn`vWO(`HUht-AH<{rlju9JRLmx@l0sB`mS09z2*b>m9_0PE!~fa= zUjKG77Ynr{OjzU^Zu6v-k*&?*dvJhZ!s|(-re6+WPLLeP6&h8jjL!$w^$%n+4~|7{ zddwQulpAHW7YnmkPIQFjrBaV{&mehE=?#BU&S(9QROOfC5un=$z zd7xX!ovf^^J>%{uP9C1<=C;<>fH42}3OrWrQZp8yN*YySp&&RsM?<|;D7WRYRn1NQ{5x>|h^n zoP3Tp*lH8{D0TLB&oo*1rgw2)Krf?zP;vNUXYnoQb0fa~+g4-OI~ds^LRV$T~gQ}wrPe-fI?Ldf0Q-7kl<^eSe0th?zO4lOw`1|wORFzIUsC#bckmYUo!@2g90Ta_125m$R{wg6eTPbNQZ8LG?ZTxPu^T15Bdi{q; zgMaJh{rk0&;4^6Tpu?ii&*nywR`@fKOot0Ol*ZO|#&@LKTt+4l26{#XD@Qf3_gIsc zsnUO%^|fZWoQv8sj_&xNNRi>LEUIiaPzPS)&;{yqtXK>@|KZ`eR_@=x3s35pBeEtF zoEFgl9t#NI?^=qSw_H10x_v>X`Lm9i`;XxAr-}aDgS+b|A5h`n&VZmxB^z=jL$d=9 z7rDS4O9Z#;7wlMlI`J*>gEKfz@H&<09+2+zTB&}>YoOWrLd;U{J?LPp=vS3-?vjGJIy~{I!sKl7QIEZ0 z@+Pz-k%q)d(nZe?!lj}d=@Hzuh+91{W5OH5wqSSd#D=vZ za#_89udEI%_gToyHdi}KSi3~Hx3136HqE^%3bnhaYqt=r{JJ6bi9|QpX96Rjy=k zyjGAJv)n3qUi6#emBpApkxH`Lz2f#^9r^i4hlv{PhMb$(tu^98fIskF%dH!b%weBB zq5!+m*NoWR(?6Pt@~|w}l0@toQG(g>G{p`4MeD-Y0egVZh{X3NS@C=2Q30gW;+;RTJfuH>p^Oqwp0GB=k_*=( zSr>CkH|^#)Ip zAkR8)(%kR;b}@I8T7RL~tnq&Aa6xslx=Z4@W_%l`um}b^-%)k+Q21&Pc`l%bw>GOPtDfry^DvdW zHB^Is@rV-V^ynE)l!DvKrV?stCLjktSE2sTgol^gkLC(9?9WJZ46G18GdU>HBeaPA?u^Ev z^e6B0721bMPUU|{KCMT28!mInqVOe%N#6k_w|03 z?05mgYGK?o-}jj%gS9gK-wFEC($ekyH?ukfO8fq7uIoNOz624D>|fgZYW96;@1yj* ztIt@^U&zVf^=pNmo*sYv#WBovq2<%o#hS7#B3pDZsWNK7!^WTkx9W2ki$BH}2ICon z%7Lh7!>8jcOU;NUr5_VI&yu6Q&A03gF0{IsUcy@OStRJDuAL{n{&k)Bk~v&LQgZ2> zbeMVziXBDpZTb7=K?GY3yhc@}WvVruY@vyXcc)PDvoNPTh9EI4-H80$0n$Vw*Tw0f zY>pOV;O^6BvgP8!9r7NEtJ;U_6N7qP=pBbe;}7kGNA)mil&MuRvACd#no(*}A7QW< zvV^vs=Cw*zQGionKLd`@?Y-g&S{pxVnp<8@Ib@wl)HHO@jTm-)?nRXHVqzN$^#2@; z%C3eB>wgO&x^D0<#dQcJ`w=plTFcZz6I7d4Xk;X22j3Hm$?D)n;C)Q7zX$o28K@_n z@G!F@QS9sBgDCETU@ar#{$U4H-U{L&oBxN$pe85}_c+lp!*svCh??N=$d^essJiAa zC(R*#kFE4#HZ~u}k{x26Z&@uytAS3Tx1P>ddAa!BxJ$N%R}_W zW?iG#k*MT0exes>Hl8s$2~PzU7R2`;hmkLHp3|rlhbi(MzM^34dhvc#AQZYE2{o04 z0KaOR^!x&U9G`LH63S*@!Fs>Mk%Fe7^0V0;7Omcf(aG*vGlft&ziDs!{p9j=_4<)b zs2;LXFl37?nup)TX?A6Z*U)eaL9OV|U`|eDbgQAr0LepkdPMcGylQbgE!-56626~o z1ygT*mYs7GUAHq@l+ciSk*U7Wu!E?CmU2&LK0Am^%JDN$j&@dzqBI`aP{`F7GW+bk ze122Ebe2sVylkENMOp%^i{0Gaz!p~?+=4#J%&FLv#g~!N$=K0gs3)5}td!@K?afwu zW<^r_PI1nh4#b>_f~hUyqZ{WD-&0yIrSYn^x_Bt}2Q7Hd(SR|AF)Nm<7qq{Bi-tkS z@Vcm$bxQcbqK!qfdqJgndpTDs9~a-T{^NbC%*VM3Bw=}BCtR01VXI>s*k*>Y){v($ zl<*24VgBkd+B>+q!@-bCJV|X-hjXL$KldD$eHai8!cMGN@k=i2Ay&LeuUlGV>(mX8 z+bXUv(#I{d)-N^t@JirC^*kiN4lM;^*=nq#9eD3 zStChTA7Yrw&t1)nC{-l$YR?M^aak0xoGnzIk}40i^Daf_E%_fUTyiU2%-b4pi_g|P z*BC9idWxEAW`Vc3kCLzFKfY-$UPYnx*bOPMU=mnYtA*F9A{&}Gb{(3SCR!B^=z3_e zhK_H)kY4aQ9&VZEvN%?a<)xC&?>KFM4Ca&^7kKO&B@G)dA^>H$kdv0zJ8A?MT8|&a zHyTV^FwRfyprmuvLsmPC%|>m&PKqJ5EjU9hi^=sUBzEz*y|A~={}9_TGWA)p2fLYg zAn_La+12z^b`3Y@4w>kf*tp(-NXVb_96XK92VRs)3?zE&0Tl`SoNUhKL3nar4b9gB z=~b^$#LEg3chlfjXBDSZt1&98pwdj&v@-c{{{*B3sI%!@Nw%Y36tNq37{PmNA=GvKP$@)^6b{~4x>bgi@X+fh73pYKik0Gm zZ+#Mk)Ku#nE768fo2in`T^Hit4Lgi;yT@i~)$d^%*pCkjb|22rGsLez8l%USOb$L} z!+qwXM{`e2cegaaC*SE7Ug6sJ25cha%J1)#BUE5D36WZ0Z z!Y_fA-c)6Srx_TYJuD59C%S7pnrb8q0sJy#Bxhp^5mLG_+Z}Gh==v&1 zoMnv(O3bh*>6Iv~{J2^ZSmD74uJA)y=HdoL(IXpQ&=IwVbrxunrY16$cO|8ER@JjW&FK19< zrRM?r7!Q>CvCLWJCK=!1BK_9MDCUT0hx1j?r)n1rZTl&QX@PP!SoQcMWx>p%LJl*P zx3%d0WQWqFAz3=R=x<6rP~kG?Oy$z zI%>3@9f(r&#MJp8EiOg4WNLUgW2d~Rkak1U&Z-$61u5Lkxdr(1xlT?K(fbZv%Q9dI zyNIa;zq-S5P3+q46L7$?mHm{BLy&ia7GsbF{xCYzp#DVZDrf5opUzY%1Lg~<5Tp=g z#%*Kc@I7Jh<=J!hr7zVD?{hew3yQ2NUG#QeqCe+AeS2}F*|JWX|L3-fuIed04M-0A z880c6MiX8y-JxIjHmJkSHaJ`t7Xla+OfocSdsOtqCC{b6@ku4H64HX*drKO0Kf#2E7)qO zHwY(Ni+}CIIy5bDJg)q!D*H^uVpW6h_K|WL%Y?A^*>ctBI?KVeyVJ)zRqCq`c|JF2 zu5B=no)KwZ(+nmJ-j*%mTGcL*-7v!jO-;89(T}`Kk_S*3CN?_6(RuhJxvyn~=rx8I zbJuVOZ`G0PiIxYx*%fRX+j@)3%oz3>W6(nu0Ii85pR%9peD`nx4-#}~-%knBKCXOT zUh}?zISYLYUMTd=K#l+oxwLe6 zx|+k$N(|!X0fxPM8*$7MqauC&iRE1xHJcp)jrrdIqyIk$5SMDX6#yIktpzaq?=O@b zzex&8Yg)|?;02Hu5R;8GW>O!(J8VHA*93uVy0_NU3!6PvPwn_f)iD;ac(gT_xB!sd zdLs=ka|sJqhwfY^v5lIr%(H>@Itt!~VJ$s=Y`LcxJmxEvjvUo>(+{BjMGShE{swTM zsxCQMS<;HqPbHYfUWAEF>Y0^`6g*wg(9ttYu4e#Nk?EpvQuC6(zyIOkg!V>WI0FJe zA*;d}{8hANFX{n#!h*0yN`b|&u+3+Q&R_Lq-L{Ft$0a^jL=4~+mZZvXHxoFW`+(&y zv&L@T)ut)p1!Fkf-A2ZZ4+V=w`?jUc^V2aCmA5*uOduv%5lU;C?TI7BKcYWEb85tKb+i(20sg*Jf zESUqCo(Pq-!8O8Ou07YU8gTK_D`4&sD`H1Nd!NK$zIYo>sz!&oSpmoclXSF;TRpPG zFI==fN$7!N+1|+U6I1;TDN+#Vr)dItNKs9Vu8E1sY_mu4b_YI)=XteUdV0EP^@|X~ z*RAubj_XO7u_DoC7fK0KQgg@9~O09^OsIP^4`6 zv_|6W+Cx6NHGR8b3g|7?P;x_2)iYA8q+x*w>Q8dp`&W;vU9)d}9wuR{UL;@wPOu@o zWs0ae{Gxq4rDn@euP9?gMsf2kkQCn(0aooX^Lj{8aj~-9Xf`s1$Lw{@^M{qzHO~+K zBx<7pEVpKGG-Hs1?iL+poG5g{l6kIHM*0`t2*qzOCEJ|9qO4vq>8TMmo=cuw($zG; z@nw|&34k5DmtQ06uP!S0yqE-3iz$mudTev9Q9C&~`DTTgiAgCu;8@AT6k624j@eE_ zHYF<7F8Em(h39b35;vt!jtM!Pr=wyN3sb>9lR#I-*eh$@F6f zd;Qi5t)sJNyq`2FM$Hab-9ROA7thO}G`C@o_jjUvIqHm+7fs4V4p?_s4@9VyK8Px8 zR+qIv1|+{r*$2n`6d4RadJgS2{3=PUFmY5{yDjXL6Z4&a|2=z0K&ug-8C+h;3(q>6 z)7AzxqK@C5G)MfD*8W92`6B5`71iP7Zs@SWbYw$S+s`c)nB8m<%n+FIwa~D%?QK^A zPOA!k%BhOIp{b=6bM5+dVCMX{hjV0QM@-oq?YWFx)W11LH&KkTWJ14hKH*63cdUb$ zY8LK^?3ayG;7AHIgK`Yc0DTf1rL!Gk4vVKzd3?uyyJ?A(UM5g1&#Sei#q(^dvEQl& zI15hE@l-C3I(uk)b0@2%@1aJ}v_S(s)D!TA)UcD@1ui(uOKL`emTuq<3C0fFJbgW?W;%6KW+ z%j->k-+3~39dHi1dCXxtL>-Xp8HMVpj^p`?{=Y)0{_OcatXu-Zziwhadq8H|;_2{; zWYw_r?T0?zlO+wQSmE^mC5}2kQd4TYj03}{($%`#*j#WINX&gMN7(cFf4{!;csFt0 zwS?Du3hH;+8Dcp$e|ZB4FW`=V4+{$m4Fki}*-l55*TxjvWW@NmF8mOoPV?Y_j*U&B zQTcP`%whH({z)XVP&(k~k*us$tSqicKp-KA@dNdW4!pv`hPg5N8tZ!VYWBomhYeIU z6;1X=QgOh*-rfy>=PoMF_UGJgxlT%_^YUe0ZEdZP+oIHPx}b8M-KdeRZIOVWAW&IE z_|!b_W>6t{98W4BAYfo-R+gR3u(i-?Ea|;D1}u$GFfMQ*=xhr+9vhT&@@>el?{B6~ z^4UE{7Jf&_8OdTYUHOYwPM@&NBiofF`M@@@je? z6J`NP`)8Brz#^-J`1x}O2Gm?;Y8A!B#c6105aR{P7<5?`=YPBaz5GGKS$cA6NneCT zL^!#))FpkkCkdO_Rbt9Vf`aW&KOG)tjXWpv{XMZ`M3_urwwa=0cFfwa!j_-Y?tE?Q(0H8eJ<5m@tFe!T&-$U5wH&zb$B^zk0T)Z(tFk_nw1ZRrDw#9CTcr*GEi zY8V{cp`@fVi9%IXm^DHR3giEqM5-Lk=}ir}hhBY&F(Jb+q) zQKfk)ne6!+x{5QkuXLEZYU9raCZ9P?YRrA)Ar^XRte87AZ19<~eyi*4Ar)|?PG45( zvD+jhk3~g|6aIKAW!wJ_Uiio3>6)SqwgiHk_(x3~jQj%98}C(AC=E+)?(+`l8*AE4H`~Y_wHhhwT#wHs}|p2Lt*CPy<+lIq~tjzw4C(tk;(> zbR?vtY6<)M`+(sFFZ|=8)YMnRg({%8gn&&D|1l#$0O@(;(An{bKcQ9wmX(F3{Zt*T zX0TuYUBtyz3y&3#jF|Eq#C}a8?27KBhoyBZ5j7X724$r}<8^;SKdA(UfA?L_6M&Kr z`nOq(_>=wwNM$82!8r8mtd-%;lAk??M7t42f*~S~vzJAg`EScBIVDe`B!w>s6TV}N zAR6wAriIy!GBhu^UM!$4vVu+rtsH^CY2e$pvERLsm_aL?-o{i#;(vO$$1_!R9mbrz zaXw7Fc}KPf2-~e2lR4s(dR#6|e6J55b*K~$OLn{VfAK+GOBQL&T$!lXaVHc9Y9#(| zzOCMML1JqWZWc~Tj{ulj0ML~1lVX7Hb`zV{+sCKyTF?}-9njHaa{fNwRkuV^0CdoC z1&a4-^w^~R2Xx@zK%t1oO|#rfu!j5LJAzee(VB41c(C_qp^}wAB2pi$yDli-ea~M98lYO z3DlVcSn_X3!|2G!6yW3zC-t>^Esi@wh&Z{q4UCLZ06x1|++)T5Xme&@XvhHYbLB>5 zz=xYs{RdGgGaKTml2VwXlN0hE*WlP6L*L@Lp0F~SQ#I$-VId26xmQs`1e0hoDpbhb zGi&jD+(oGTldDzl|-?>+2B+z0!;rYJuB3OMgRc+^$akwH_V$ z@1FGk)Zg0sG7oj~t%um6+QESGXxJ|R9vj%MMDx53pr&5ss!$i|<7$A|0qMobe!XM+ zBIQtSVqu}8b-RTt&&&89cgFv#0bprz5sN|M9|n5f4^Fh%*fX;^<-r_cuxo?oKt!*= z=|enw^r9OKgbH$E-M60sA;>>&4Y-kuNG7jEi%>JYgsFkqJmn+JgOt4GQYg}@(py6l zE~#-~o?*CXxned|l(DkE+bpKl%87<3S!EKEiJjec%SB0}TgFqxvm@WVfFKdnnf4!! zjJ>|{<%0~_VB8q#EtEe)ef^8z+n= zjK)yZ$bF?G)kQfz=2YqVtYe?o4NGC`0-3Ov-|QS`c00lGQ5#>s5N0WihNlWT9Z6DwF$0ZxBpnAL~Fp2SurtPo>v`}WL!AaATy(J z#^)kYGzA5CEkpbC;T0#Ss%Bx-EO7g;2|($>CNER;bD+ANV^Qt@SoD_N^)6{|-eZ&v zzzIN*^1l(9#J?V)-L*dl_WXLE9ZT@ZukioXZ_$dnMm-TAY%&_RL)d{F`%OQvJU4j( z0f_wnHQ>@i7lA;1;d3HHpgR^18(oyJEMqTLu3VHj0JaDV!>c&Vz8SF8}wSRT1*g1mRDzN$7+0v$#KmP)`BytUc4fvpWd z96%ubhmw*32z({r#I$wY;z(}@rBM@s(dCczoqhtDt07yBEHL9H&Nup?p(tS67D_Ga z-o72Q0C4`H79*cV>Hn#NNFBC4kU`V8-?!#DfC0O{?Zl6VJKo*_q0SAr3=Mu5EOHB{ z&b>a^5w)N5k9KifobFodr?Eq=$Xrhe%?2zQ#QIV01GQfMwWTzXO*2aOct-8Ifw@6o z3%XsP39yw#E(P3#N*U)I5jw%kg9es)HQdN@uw&B8dMFI3V-{^NVGCG=UiL)gXNl7B zU6(obQg_cBgX0v2aO}ajOX?K zF=I(=Nfi$#-z*!cQ*w9HX5x)#{M$=G&W~qXQYSC z0Pmj#rip_9*4tp@AYpsYYjWmw*~WuWN@!ih#NfrmSo)YWa^~JV?8e!4$-z+v-lif` zr^9yJx2?5|miBuc(m~2DsKq>a)nq?wBhJHF0>AOlv#5Z#djn^kQ*tw>PV8As6@J;P zXw>MN9rx_pesM<78)2p~rkiS$V}w$YkKqosMw*#!p1sF^Jw)O{S;Ts<$>^~RR5>7r ztocXA_sG$;Gt*X_F1!Kd$vhMM3@%aLID4kahjGMIgz9x!OT3^Pv%V@gwj6;DHrWtS zZ@tLLDriJ2++xir+mpusVK*mG>h80#IW3SM+PIluj zEe|AxVL(!N)!1FwNjcYYFfYZ_p$F_&le!Eb7JlKSLtLJ%54syLUI+i-oFdHKMaIF} z6Lc8>h6K@sK^Gvok<&@KzGX(o*>N3q7h7(nC+T*O&Z~AEv#11-0s}ZaDTf%R^+-23|s{iIY=7P82-9h>@%xuBNvh=c(;hDzAQSh${(~H@li4v{w zqmH8z_C&iP%cLb@L|#!v@9h5br;|(DZo%sQMIuM1AcT&Ok56suyL_77h=P$f0gaYk-q0$@FJpNU+;+^7(++Kiga z%O72w4i>*L{d+{`S5KwLD^9!GUOfFn(eddF`+9{p>Z(gP+Bp-GLF%-Tbu*~|(^2kq zSFJ<>tzp9#A`*z=KC`Ua_*7T*Ucd!mwr^?ecNX9@Lw^4{ub4LaH_EEP6>K!mnw{AaA?~!}9 zDyD~eNT>YKIyOM2zreb~AN-OnZ|PbkIgVexB!n7(KEKKa+m=TS21n-@BWZl$usmjG zUeyo>zcsgB1q&m@9fOP~4dn_XN*~^5>{V@`+`ctbvA`Oo`D(dO=uJ-*YQXpOWp7#`^V=9ba$t(KFu8DG_Y!+eQZP zurXq498%HSO4PsDB(m6ks~&Pv?Uwr!662IOaBIr(q5v*2UKQt-El)o+wX^}g@HYr= z6p6NYx7cjh+X@GtT!$AwAz5+=Yy8|pHW5~58 zHNU~(fj{s+k9B6)9h@e___6{$cp4Vh&l>y=oUBpj*Vt*@7+T|a+6>FA=A=9@9q_k?_ybYo*Q-2sx1 z`)OiyESehc_1CpMz+S%)+S6l3U3Kk`SnT||`My>Yv3Hc7HGTI%FM15OsL5$&R-`FW znfR2&Vo40}UWa6(B|JnfW9{gPdBy6?yr)X3;biX0 zj(oU7P6D|^KgH&p0UGcKy+x|BH8BC3N|&$KTZS99v0ALCUWz~Mi4va#U7>+g-&lTm zljnoP(FP1Tx>j=fdq@mwH{@}hT(?@G*MHc+f5|%gd=XVSrj`PD(X}-}Ya8jBW8EUn zS?I7C9H|s?(cWNaMsy(2H?!Jfw#*oX4n94txyy>$yE5_=Kj<&R&pa>r88fAQ@ibq~ zCet6*vEJkW;TqZVYIEk~*-ts~-JzpgmQs?U&xAB)Odh7VbvKrxBAgiuewD3CDN_jj z>X6qoE4V6*`n0@KVSProDjqZ2nAR_IKhPt0NSr5rX}e@%WwGY2FcW=f*n?*z=Qo5p z4NI)?PNwwkZ`X1pf6_mBUWSQfch`RhbCkkHy{1{OL3*h;Ibot2&{~B-2`uLloQpQekf3&V|^Wsa^i zilP*l+WtPE{%#uSW=hpp$GUn+Y(*0BfQW;aPV=JJ$lIazUYVosf~d}}VE*x#R(UU+ z^$hox%x>C)oTn|HDJ^dZ$Fcq^d3CzjwVxRnAi8t_&>tX6epTE0{@$3b-2@J!FCD=E zvNiJdK7!ya2LDH?a|pn)HgQ6J@00?t?1ezW0+5RvJTFuFAVdUeI^uu!7m@j&RWbi7 zDe-^7o zS1rx{WyCr?_kE=ZLFo%RDF*GY9j!Y}OEJ~_6k9vK_>G8j+Mg(^w(IQuuWB^R=Ay=c z`tEb0E1+pg{HNP2g6nn?_+i_R*W_j&j9Phrqz0*I@A0}4F3=R*AA9^To$s5iR(X8J z*uj^z64H=sa%$@J<}U>1h(LP%23J1qrF=<0R?kgmz`Y?~H&-I&UGcIGrM*n@E=f2$ zm%J*51{B9o#5u+~tF`8TB_kaGXvuH!0!av3fG{S}UW|Ij10;veT)#_mAVZy(E)#!Q z6~a%!HGh&C+OCy*DNc|4rr^?rN4fVUP-*X$_u!Vdb_+>tf1-{g?&6dY2cnoI1DaTm zkH@Qwpv$1={2%!DlJo zu<=KLX8E(3x>NE@-mz!r6)HKw)A9@{II(!vv+I=rZKf&?d(SlTyEr`QL7?-d$8u*VPa6kD0K zW0HuEm9(>f2HCncngRHHK|w(XK0`hd>6kpX#Xj~mUM082wBqUN2wo~hg_*tnb~JD{ zTWHu96#!A<5qS(CpHcm5Yb5~23Y3osOG(jr=56lz0)GSeI$LNgf~jR}{6Vmo5PrIC zJ~+l2cHc!P9Js_X@UVLw+hn|dX#uWs1*WM6pnLgUy7<`Z*RQWAU3o^N2_g1Wpn6<= zf_DP040Q139yl>vjYQghO{i1Y<_EAF=J@YtxZoE<%a?FE6cVopeE3&E0fBs=%L4$5 zhckrL5zp_x8(e-k#@c!A=2U+wkoS_Eg+-p4nmWWqUfKTlMQ+jQC_%-c_8zw9!7)aT zD`Wz}bxxCw4T=bE6cLd0C#y1QzLsofiX5WYM|~re-6v7K74=!QD~}yP6*sOn3K*H5 zR{41Hm>i30&iQZ2@0&pC`5-(q2WS1lVCZ}|HS1J;EPuG{7q1;iPp?g{T7|iv);?eR zAy6q^`ncYFKG6Ezn82R>G8hMR@?HT!qEwdc^4RRhgSr5G3PKiK7<#%Qv&ShkG&D+` z2PpW%1zYi1D|Z6(jnJ=eO){;R`t-CfI9yQnpo9ddH_$VxpA*gO_zpONb&mSq4?UBV z^nTgV58l?jR-Gc!v+rE)c6ldCQNn>EQyQB%t{tE_(={q73c)WDw+v zt2*^^f?Nf~agV#+zOyk$3*^3*&pv1X=Iv`0$nNs7&!H-A*p@b6Qj+~gf;>hflf6y+ z9V9|%PZm+DvO(w}QL&1+lCCnBhTja%PLf-yH@2T?Cy}syAP^WUlFUKpNQYSg>HhSHxcesU1f=U{B%QZs9c zoTs`6V1R#X0m_o>{F@=a2vGXB?Js)_msFla4CPV#bpp*d0l4u40K zu6aGwTI&taz?Uo>w6mz6PbPEnLhYEk>MQpY zOs*uIOz5AK{p6h*KrBnbc5?L>1#11p=`b(Z9Dv4*fy}}c_e|&e-r^S<*vz-HhA%m7 zfQ0j=n}>6{{?X?+7XU3V_@UT-Sx>$#Z#7M;tt5aUZt)1uHe*~a3m5FA*MN|vJjCF- z4^uH42%IX$n)C9EMz{n>4r)^KDipVDq5QmLFFZZiZ#wTjmyyQ0OuyMH%E74XH2*O8 zEWCq!oWjyh1d^eOwSth)Lw!`(NWx|vAsHg_O5YyE0yE&AD<h$KU;*Z9r%{mi0 z4Xj?gtuJY4;?cn=ozle7yjo~^YmW8DEH3nN?#o*33tntq*Pj}`@?|VCcG6*ejsgB^ zaVP2+FpzK0(0()qfX7Qy^?r(;X$wgqT!;f_E371EYD7r%J6NFXX12KekKBu*0}mIiE!S5MB}x zX!GJYZCd=vQA_WuaqYl@$2;e*H%DKx&~aE!O3U7)_7<sHkQ~!mf_|+{(xbgA% z^Ba%$W1zl+lQhVKccM+_FMxkuaD<&0w#3Zyz?)H-_F9|4`kcIa4-RhVrmdabI;`<2 z@G;4al^x^CZZxcDMgCZgUrlB_nf22rJ35{9GxL`iQ+e;wcF=}SX{SG7-@LCB2V#u~ zPGVXlN;?IXxRAp!!;nEpw)b&BuKiOjuH*6en$J@3UQ=PUZAgNxV_d{~vGu@g5{IdBk$bS1--bB&IYAZ<7} z;qzxNpV1u8X9&rFfWx1B3`vXgRTL6=7j9}~l~&~KXUG0XstTu?qvf3?O4KtCMwW&p zT9=yVul;frcdpW?R!8T*T3FbZ+f}&_V(kKW4s!n&=(NG1hr^|+hN{gj9{*GnIGDWH z#|doBz0pt_`;$!LvKyWD!+BZH%!z3;DG8b8dh1030kV9BiUlB_-pU< zCUi|EqwhJ3=u-6`JOAmW@eTiv34)-eu#Y3@5#9yw43g>@r-sTLNi@1eZ_8KQ)l&{} z$jXhYvevpR1&XU)6lmJ1k<@3{VV#R%6K2cA}G0c}(!R{-*v9Q!`Z& zWR^FRTCWC$uiSOGAp5<;WyC0Il*w@zFsExV{zK+BY0by_msogqeoG-%asJ>6h+n;t z5t#%5n#Yvjm)^-vmYX*V+>}<20)ndm)?TTu_-%@<|BBw%tTy}GM@K1?fBB~)#a2ob zj&V)^PY;wC{Bds<0=O`M{U`Ke?k^9{{)n&84%*9NWd!)=^^GPEHl^dnMBas&L<$}?|wWICxqhvWtZZAUn}eJX-`_7T`rPSh*iXZ`8?-<8zdbbi0+EXvQ(3AFGpB$oH79szurGI8_sIQ1?=GrU7>j*|Uvf@i?OtSZaaZa4C>Cz>&6KM(&cgloT-=Xkm^H1` z_*Z7tt&}FN%Qf7?7f&V%va`3-$2W#pz_NxG|5tn89o5vf^&9b64vKgLM3G{lNJlAB z3?L}IcL+`CARs050Lleanu2s`(o2$q5Ri@q5D*Xu2_yuLAT=OD2rZPig6Dqkjr)D~ zy*J)}Z;UTvj{(`)YwuO(n)5e*bMB#af2FGs!|aWy#)qSMY$51Nr=v8)!KIp#K$UD)B4sG_o4#T+Vg-0VKK5 zI%gO#jaSphnk;Kp9-1F)X=nMjWINEHe>6c8wHzmHSEo~r>;|SsEBiLKR~Py>d^owH z62&23e%t=T^^E7Mfw?&SUW~%+`^P*Ay$jFin)n!BX@>P86t~yjOcZ*y{TU#>>DE9z z;t%bto>8Br)!v{b=o;kQsG+)3k`ay5pCXSRe=zJ}m8ytcuP5u(r&yx5S@^Qo)NNvI zTdFBnT4W^hMN_9y-(JnHjFsL~2$;uS+HiQaAltby7~=KUr!(cPrVU>nfq=0Tnlj4- za%RLxU#h|t9JPk>8H$6Pgn7hN_K${V$;&dGM(L^pB=P0Od{_VMicW+2*Ni;ai4G>K zumivD$5)qcwAwU@eVVfyElwF3z8$|VU0GDbt2k0|?W!iiUChnQ4n>w>p|&B73lvPC zfsSS~X-Akcd;^rG*DGBnuaeAQNCmx?8|O6CLOJKm$cbMCTXfk^L3Beop?;*Yug2W1G{Ajisc#W3=1uil_rfhHti&_T`7Sj0 zl43metkd*`23lH@Z{Z3NabCv7vlTmu##;VEjl3@*6X(~MOXA1$5Vf0{Y0)J5Wl$~{g` z_@k8v$g1QDGa1(==wOjTr{+CQtSzY+X8bnM!H#(u=Sy2FZmqIg*sJ! z`$nO)v~-8D%_-h;Y}(@^Ep=tK+SYnK>8}w|H*^+0anaT_noMY4&P1yy_)n!;CA?-H z(9M}dXi@T>F-KULpmDb7n<@J5X~aBSIhVjW)j~Ze2^H?LoeEQn(dX+46iM-cr4nxb z%;FwW4e_*(6AHcM(cP-x|3Su4*e6GG^D0#Suc7I07$*EqNBZV?jCQEp`sUK`8{z|a z1`MIz?0J(@U2{ke`SwH=p9^)q{d~j5WYBUY`#=B+dmilx_yQ(BjwV#piiX??Ty7ED z{)Ze`T5VSmM2-^dHB;}~MHQZgR4EN6sNp^4s+7HP{9eOy#YEdpTeYaV`q2;3+S{6E zprthS%}=qK_b|vF&r5t(f$bbx@H9zfJ6&74*Vr5g+70W^Hassz) zod>!V>AD`7EPwlU{fw>o!V4LG&o0IBzQVoNhd1mByd<-qHkVChx`KpKV@>dlY8Wo=mYa3oT>CawU0$9U;g2a#xQ)j@gozCm zSP}okXsCPoUeu`c)n4n~Ozvx0L^zbz`k7Ag25BPd8wV1v9#@D_*6gYH(m*+1-W0A` z707R0X`cKf1zFX1O<=w7=U-uRAWo)1sL3 z7oTm!8a?Dd;PtB=Pqgl(n{ighl*6?=9^fZf)5S(IPgOr+U06;|%QXzlEZVTr(fz$t(RRVf~O^hhDezM#&#Pj?2y@DHF z9t`h1uMu|=v?7u=;DMFl&)8n2m9;j(Xd&Y%&)}TKc{!B?b@uWJezC+x4p0JWU@QmPlOI<*oM& z#!83nf0w-#pg}_x_^$pmXtC-3*nf_*OV(}w0qNj1QGQw?)iXEs!ALFa{U>hsMeGu}nECY2j?u~^S07Bg^iy0zHP>Acg1SDlyOZF3B|nIA23R?FXXoxE)9 zKs4)FqlKLF9He#X5oOfcl)R|gW1X{0-g)DbHTu5CV_6i65YR0;w zFobq@80`Au$R#o8{X$QWyzf&lB44idhTwHxJ(N;|LA|$kW;;w)A^y#7GW^7Yk4S61 zuOH|1wc@m=1-h$QXsccWp*gA{Kf)JK*f^cHgfw#-ZLb!OFi(VQTb)9bYOOkxS*C5* zX!+uuWqHe-?fyr6#a0i=eZTXJSK>)&6nBcXjcQ7fwQdgFeVM!K-JerhNQ3l{Yk%a} zoiz#$);I-vXn~B&WJ|p|;3!kS!ItyRVe&Jay~f2O)i#bPs$%>Ni-H~>s>R~%%9)%| zBRStAjWu(hJX&+iGd1IyOYW^+aj9`Z50!JltH}}%XJS2gFrqbgsU$J@=LaxBcn#*> z8?K?%(N1ghPJ+{=Ttm%1MAJWEGJ!p=gPDgK2DlNu(xY$L( z&lr$6gpM_!A}hGDA7&J{E2fjYCyP&=sNgkSP#$pGMo|{_KN++8+uJ+?+d)|)p>(-^ zW$4%(TuO5wHN?B#F~?>5_gInNHkmS)0OYtC34L^F>j;e;#Y1#wp zxbhypgB%*F8s!xT`%=l})#uyAZ)I1LHNsnYjo471S}#W$ zTKVvvHy1M3@bn}Zm1!okTK#O!4YIXbHM!k?SKfs7k9CvKgy${cd9QM$yT%FTQU(fH za}U__y)`Z6gZCpv6->M?YFKmTdW9AWw%v?#dNop~CbVc(-y^C?o04jj>G8U>vEf@; zij*2@y?NH|lZPD%uS-&MhgPkrKPM$`x!LtMFDLU zFg8eb|B+iU``FcJ;cEG{%E_k%R1B9mvMB_6yN&Ikpau@} ze8FuT53lAR@{~G}*D_A6@LAr1qFqdEEL(z_G^hfA*##6`6nB5BMu-1}Ux-z_;RXj7 zAB)Gg{>k|f*a;I8lOlVGGH`tOpmL1i@u%;bG!`WiKTXMb00Gorhfk=ya?MOTRLP@; z&FMA%=#RSG_i$yTi9yqeqM|p?J+KqG-vWU)95u7gai|twxOSMH1>*3FO?=^(H=*6) zm!b0?N^`yEasH>&2pA|T0iQoi&0;SS;u`7m+{-3|ECfz}u~-M78~FKuQLw?+_+K`W zy@(eh;PYofLjzEiKxePLAtCW%c$vi&@bGPU;H;BE& ze{NK#T&at2m{ml(9L>_ynrFmC#nRDW_EMX6i`7){a0@i%Lb*=05`R~JVscD}$U$P_-NNT; zh0k+aU;+n<**Es*)|UuSE9`kYwCBr>D!Ap!yk^c$T;1qRn>h8J4Z`eTidF6E(>E@8 zFS)lv-KJk|QD|^6q9=nfzxs+WWLgC@LN(!ZlF#Wlxx-3^8qO-cDI8-B@M_!OgjN8f zMGdFmPSeKBlr&*{g2NOj>|?mi(OKQqHZO$;o<5n!g0E6G*&=-aLL6Cs?xVxQj}QEn z$#W}%Zv>`WuDj$7>RPf}l!}qXzYdnY8N3!ETd94*w_4Xe`FkIYQJJ0-$i8apX9lLf zNkTMjwu?K57$LMR-tCk(G*wu7F5-$};D$-qz7`2#Tp7N#^cf>s*u>?Tt|6RL3R4I}8TnwoJe@ppHu*t($`k z@z#F2sLCTcmq1!1>}xqcz^|96pq~G+n_$}lSH5@e9^>&SaL}o{m(ObGgtsZJ4tuWg z{g9t8Jfzx2HXJ(d{^t_>dr`1`Z)AYH5JtD|xT7jxn89E$`s!1j0I_`;)n;g0WZu5w z3$pvW=j%U45T#1#WOvALPu!^_Fx~mTg1b~b92 z?3eeGT=Bsg|6BX3?X4~>2A;U+Yr_n2pwGKlbsm)YSSruFK5BiYQ3%36A_Aq1s@&t* zM_c8RDto4OcKaF!=x}uZCJM0qB5$I!Jh7>{A+5te$otq zXxTm3PE_0;HSVr{ZHisOEe9Y);a|H6)ybbV< zFmA*Ao}@-oC!T|%ex|#A#xLu`k<>W$3ePbfOvI|Xe;tJj)5<59H>c~oCm6bx$OgGU z#}zcDL97D4L^m5KNz7R^J72u<@J>sdJPeV*y-$j8?SMIdsigHr11VWHZ)dAJW^Aw# zGVJ3F$gGFL`TiRtQcfV=MlXv#^}#0f{{0=BMt@Df{T_bn)O*eeoSTnk zx6RmvGT6tvN@ZKp%GpgE*VrDz8O3Ik4%jfTTmPKw{t0zEBd?s* z+t-1IP@*te3*7@}v&K-hJn*PKxOAjjF%p@u$tLlbKp^^_$x>!Xrf3;t;Vg!G-iqL}GQkaBMRFA+h9 z!Ty>85Bo}=j4T3ruHDIe&vLUWQH{?hfbVeaq-sB;T@?<;^z`7%32jE-CY zK3#h?tEK=X?*fP#>i5wdx1=70T+Sl}P9hpm44@|9lksmfl>aPxfF2<7U)SLOD7F5( z=)a$(|MjNwFJt`QJ^bI@^#9G2sCr^;4uSZ-pQHTFBDw^DT(qFSBLJv5KnySd2ErFv z5NZVk5D-3>|Ca0jFM_2*2?uOBiBC)D1Ae@zM1T8qo(3%}FmRJ~#Bt|jv`Pa?R&O51Y|jcJANEtF(_Itf z+0MjH5C4&>s1#k`eEgdXJtXRLRT~Vwpx~~_$j{d}H`paLw-7O8N806MBj$zF82XuM zinq;WD6!m?U*F9<&*dgw-zQ?GYvg^NpYhO}^ZEJ^<@q{$0rrtEg%MFqiw}3o!yoAH zOjV>1!r$JzrE9}RQ7fv~j%Bx=+!b|}eVD}UzdoP}f!;@cxSK&jPy^=l+4N2`8&FIz@xZa10xte6B8lK5BTrf`DM)Xz8 zTNPZxtyvWk5;Y#~Z!&gD$jutet3#`O8@*C>ioBkG0%t<^Pz0YOu zcJvlvN#&|p6H7z&s;B%tA9Ok}l0@8oq+{P2y9aIMIgd+}P4%!@h0H#g3s;wSPw~3& z)$-Pcr>Lh~GM32VB{a}HBt@q#L6n{SRIQ4s?mCTsLaWkq_e)yW%4pFC9hd=+CLFm* zayhN9Lz?hsz9E}ty;NLTVZe7Wmusp+R~sMkBYb8Gi$*)CdNp>-3OFQL`P4) zA;WBcM4!%k8~XnHBKjPO5)}pVkKF7Fc6Ia`>G#`dofFNR4!i?1z1|{I<3+NbU^R2` zd#0tOHah~388Hzn4~shg%A~AlaAQ2CHhST6w3VraFcvOkZ7fo*scz+Ndf(I0ZMWYY zL1JmXwGGH&U=4_fj?98-Cbvw{PH`cPzp-n>-|VLL=+EfhkIuHvGc=a1!j@*S)+JmJ z_Gau2v9KOSJ<@g8L{WNEdNY6gZJyBetWIDkAFkaCrLI!)s1<)Ozpwq_3>IQK+k>Ua zIfp$jfv*q=h9iK#1{f+XO2Y%;8#RXL^yNUM$Hyc806HYyJc5)M)J^V<&zz2Yc~TbQ zTp6a3C1p5V-uR^mP>bN#{ac(MGd@7e0(9L5N5v$~O>){HBMRDXz{TuGObDu#ph|7ecM zYyi)q?J@qw01nH|ukWI{p3&EaL;1i;)ji`5gjr`re*R^?&+no+;`UH30g8D^%11$)R1^GMv!stP z9O2rV5&@_iu#>Of04BG`q1_-gQz|WosjZ!Ve}YE`Rtj>j=p`g1BsL%j0e;!2&;{6z zN;Ng8Z~_&fIk}_aGgV#JQl2oAd{vzMICS5%zIj~~Q6Rf9o^&2hF7`&;=|B+uDV;oS z)flfynGQ2jnXiiz{aWYp1(=;d_0`0H zbV(%d=IwqL$O8WX^XK{V=kz>-Po6ya^!;{s+SV#qqrs}f8Uad;}UZ7^~;}S4{HO_rnu)HTv7}(g@8jZE=tSxfMuQy#~OYKP8Tbv|SzP+kxdIgC) z)>nf=GP+>`$fQa3a#yc4Gg=Z)@uxIgq^N`5=i@?Xz)@jr7{=S&jUD8dy6{m-Ls<4%pUbM#n=5oY#qms}znlXtuSpd&#vz!du zC=Hn^@rV1=js%g%4p3tAMdAJfeT4gcFfJoQ!%PP|MI?IPzTO=Ru2-svAX*n^4M%C>$ha*~a$TnBW+CIyzdjpmWR*V4gQM z8(TZhyH-IQY!r+Q3|_Fh4`Cz$$Z3C?b|Q_9U=m$NE@s7$1CkyXSZA;!WM2L zv`9PDraQ;baF29`W9y|m*$1Q&aocRvYXWx1nryl`Vc0x*lk?gD{^JD#gJrd11nAN( z>lnOC*qu9fu70xk)|sWAe=*ztap!(hO)USgw3IC#`{=E;-b7T~mdn z?Tu)MI1Dq%^JwC63nj4i8C^xh^g!0goRv2k;g^@ZIBmH(_;=^2=4Bnw5Otdj!*_Kz zlqCmKD734jz!-esXPvwuOim3F+07_r3zf=bDB8OLcB!=|M9-|{0nO^RHGp>tgg25F zZ;;@U3#fus+TLpR=^#Hl{<8{$zq4N7ctu$ibywUf!i|Ttpwf8}YWmzuSW#53a|oy3 zJC`KInzj5{z7eNf6=9`9Bvc(6)+=gdR%5$48PHOPTN)Y@?eBtztSQtl){*PA^2!bS zT&g_345x1_4JlB(hp8}!V%(B^rKq<0qK`J^4i(*Cif>yjIun30eTLbFX;J&bJb3s< zz>UQFQow73&>m6;`(%uIvb(!U%4q3nT4=8;*$qSe97exJRC|~c4KvyN9_UXlSrNuI z;2ic~*k%t$9!1J`kU1K!VRL(PpeeVz>!WSyYP0QIV%Jh)tU7EW#DKE0@~5*aek|BQ z@nyzlF;pJbXh}iqH@mNA3NTj$+uq4S_{lbp6)RG1CpqkFMkBHp2=XNImEI5sY}J4r z?a}n$+D?3Zo&{0=-7@}bQB&v9@*z?IcDa#buFdfgnTvC4cOW-KZ;Ecyx zu}&^dPArJ`_Fo#k0n!zS7^-N6nXzV^NQ zM!KPq(G-Z?xHXBz;B6}{Yn&GVbfmFpdiiU-ZsQz~ZQ<1D^)2nic!RO7f{%uJD)Rddm8!v_tk9zw#`|0;4nr|Zm|K>X=c&&?r7 zJFr$7mTl|GQ5vS=;+=iHK7I&gR-SkibFu#C{e!bL%y%e^H^z>0kUvTr?{!j~813cX z<=aGrr|fUMqi%^)TjJn7k19{cr%<;QatG|u13@%W{Sw}V5aBHUUadmsF~4!Urg;e^ zkiG{xL?=IN6(%Bi_*I`i%Jgv4xUI#hKk}{bL z34XbFxYj~UmL<^oeZ@!yH99TQUSRh%xaM?55*GlxYLUBArcfy_sPqDAv;AcKiaXlC z;Q(s48AQ-!2>h?zVPp zO>AQKbp@M&(~q6Q-u^B#w*MmNY+bN^LC?cDee25ny`04sT;$HymSU==*d@ z7ad1*KyL%3KDcX{z)lMzH~1$ZXNH+>PzXPQ(vLuNn!8W`;dP%c`}eV4nb(dSkH5u$ zn|c?Y;?4Z<#iA}%R~&HEArjPPl}`>y&=T)(O15BcXrI1$9TB*oSX@Nz@DZKB=&V`E zu&*~EK07r!^AmkL-=2opPX$Lm?cxsA0eSZPr&bG-6tgT8iN4D-EUx_cyAk5rpi;+u z!v8G3q$fiV=Kz@P<%r3Kz z-($OX`%7Yvx7T*Qkc4D#H|vGu1-5=-@A~ z_|-Eq|BZh~cfqE=b$3Qwe`Xe9|6x@Qz`fy_ZKLwM@~6q`D$mr&kRmR<|^T}!CnBMRxM!Y(gmSUN4KS7dH;YOyxII^itCH99`< zIq>Bf=-@l$oMmaDx;`;)`8R2j1HId^>!2*I%y?P4BWr&Livt&Y;~y)81?&34u7tjv z5EDHqEog$T@H)qInw~`S^5ngK@*^9Ka)f9{qu2ZUa4O-PuD4&6fXngqFB-`^jU$T$ z8KVcIHa%xsw$7HdI&WTa*Zhcos9M}St1tWqH9*v$%vy+fq+D8Xu&55!D5JX!jpt&f zEorDPf4O-6nI;`GxIA!A?DgP~(dK^4)KGDqdhE#PXhkEFWNF}48=^)>gf z6{bXiH55fBTftPZJ6P+%Vm9?E>J(H7@YxivK%JO8$gglZT`a4uGSXsCPkdT?v1rxA z^}Y}1^-XUCgQ`CE%6~x9sM=j-RMiNul8kx@7tgicaHEg>_l7C*`T3v0E5a)0tzB}y zikoV?#PwH|>t2kJv2k+0#20c}2phEZr`ma>ap_2$=^^K-T6q``Y!D``i%51k^vBps zruV6eRc@*M))@i#g>`s+g_z^9c;EEhdsBph};FG$LocydUCWHFF_A#&*Vv=&MFTta`wm4ZN@NGXpsm8D?%>$OK1P z8GE$(ncwBYu(@0RHI!{IQFKkzg|k=R*w%A+yrA`zOVKfWhkk~G0Qq8ErFB6uviz3S z(_;eZ+ryf6^;S6rqT}U_xbFoa0|MNKteThe4>UK&p8{}5ewg&~o!N;C;&l0N{JJ+I z`SWws%PabP3*Nof)|6LP*s|vr&$=5CXMcC|Oz82DDMP_^!))tc-DB?4U{0T&I(W6s zvK?Wyrn>e>QoBI~zHvz(>lU5+wEjIuc@61&*)Y__*t(p}g<}Ns0NK^Y89BImuW-<{ zB>K&uYme0J+pndVn3&vv!#gS}ik@91kxQY(sW(lxLlLZdCy-(ZKAmuDwvi*4ytO*b z7_H)#UcfZmJ1Mhd?5A0;k_dBj3GWwtlSmLKD!t7x@Z0ASCQ+sR)g+L3wBpU1t2V(i zsaet{eW1wr4>BiDPp$&b{(qx58R$ zPvAmwqv-jBh8_LHdK_DnZ(L`zhxAPJK5^l&9g}SPxNB3EdKkMZYJ7_|A*CBt0G;v5M* zbCm9t&EA!ynId|AHWnL@Bo|_@!p6#a{p?BJeg{b^_H57^@Y@zApRVfo=df=DZ?8H1 z!f-Uw#cYN^QFS_z3It@(lK|2=6S1)=J@i)bN8w$swoRgyFXz+21#sUBr`>T?mUJ4! z_3QLZiyrOO>Cbj0O0pS(_9$2K21)_gbW--%v14=(bhB%fgafnsMjp6T``t&Uc=`=k zPX5Mv@;5r@@!`XV+7_wLcGHc$nH}<M{as;IsV}(rF2isd7~Rik3X@08+?p|Tq^m=qA>BD zjoaTXcJ0ge`Wq)WdV^F>9iC1R%$E4T)%Qi_M?{qym#d5HH#%!7 z()v=boZwuw^Tj}BUHSEPaO!g2AGTj^{ou~>4|)u~LNavr>7Eks>HL+&?caH_|6WEj n=>r0JVN+*%=|yxX2S?uQXfAT*7(7l@1 literal 0 HcmV?d00001