From 95c5435faeb9e2f77e12a5366bc848e0b3820588 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 31 Dec 2020 18:52:49 +0500 Subject: [PATCH 01/10] Addition of note As suggested by the user, the rule Block executable content from email client and webmail, have some different names depending on where we are looking at. Keeping this in view, I have created a PR to add a note for the same. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8556 --- .../microsoft-defender-atp/attack-surface-reduction.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index a0586d3024..238b8d7a79 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -243,6 +243,12 @@ Microsoft Endpoint Configuration Manager name: `Block executable content from em GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` +> [!Note] +> The rule **Block executable content from email client and webmail** is also reffered as following. +> Intune (Configuration Profiles): Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions) +> Endpoint Manager: Block executable content download from email and webmail clients +> Group Policy: Block executable content from email client and webmail + ### Block executable files from running unless they meet a prevalence, age, or trusted list criterion This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list: From f2bcf45ebd366d15b832e6318b4611fc63b8e8cd Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 31 Dec 2020 20:37:11 +0500 Subject: [PATCH 02/10] Update windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 238b8d7a79..90dcfbad85 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -244,7 +244,7 @@ Microsoft Endpoint Configuration Manager name: `Block executable content from em GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` > [!Note] -> The rule **Block executable content from email client and webmail** is also reffered as following. +> The rule **Block executable content from email client and webmail** has the following separate descriptions, depending on which application you use: > Intune (Configuration Profiles): Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions) > Endpoint Manager: Block executable content download from email and webmail clients > Group Policy: Block executable content from email client and webmail From ebd3cf2155fe6c6aee87510f5a1590f3ef0427f8 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 1 Jan 2021 21:02:55 +0500 Subject: [PATCH 03/10] Update windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 90dcfbad85..9733c8b74f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -243,7 +243,7 @@ Microsoft Endpoint Configuration Manager name: `Block executable content from em GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` -> [!Note] +> [!NOTE] > The rule **Block executable content from email client and webmail** has the following separate descriptions, depending on which application you use: > Intune (Configuration Profiles): Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions) > Endpoint Manager: Block executable content download from email and webmail clients From a722bb8029655ae4834e065fba5ec08ec18bbebe Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 1 Jan 2021 21:03:12 +0500 Subject: [PATCH 04/10] Update windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 9733c8b74f..43ded78026 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -245,7 +245,7 @@ GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` > [!NOTE] > The rule **Block executable content from email client and webmail** has the following separate descriptions, depending on which application you use: -> Intune (Configuration Profiles): Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions) +- > Intune (Configuration Profiles): Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions). > Endpoint Manager: Block executable content download from email and webmail clients > Group Policy: Block executable content from email client and webmail From c2a94c61c7c35f76b7b9c49cf583347be2753a5f Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 1 Jan 2021 21:03:24 +0500 Subject: [PATCH 05/10] Update windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 43ded78026..56bb500c7a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -246,7 +246,7 @@ GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` > [!NOTE] > The rule **Block executable content from email client and webmail** has the following separate descriptions, depending on which application you use: - > Intune (Configuration Profiles): Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions). -> Endpoint Manager: Block executable content download from email and webmail clients +- > Endpoint Manager: Block executable content download from email and webmail clients. > Group Policy: Block executable content from email client and webmail ### Block executable files from running unless they meet a prevalence, age, or trusted list criterion From 161b98ac44b9c011314382518b11f8f3b286262d Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 1 Jan 2021 21:03:33 +0500 Subject: [PATCH 06/10] Update windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 56bb500c7a..a879459cd9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -247,7 +247,7 @@ GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` > The rule **Block executable content from email client and webmail** has the following separate descriptions, depending on which application you use: - > Intune (Configuration Profiles): Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions). - > Endpoint Manager: Block executable content download from email and webmail clients. -> Group Policy: Block executable content from email client and webmail +- > Group Policy: Block executable content from email client and webmail. ### Block executable files from running unless they meet a prevalence, age, or trusted list criterion From e23d0de48a6fa550f9055ee447a66d0ba1b8dae5 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 1 Jan 2021 21:03:55 +0500 Subject: [PATCH 07/10] Update windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index a879459cd9..212256ae38 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -244,7 +244,7 @@ Microsoft Endpoint Configuration Manager name: `Block executable content from em GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` > [!NOTE] -> The rule **Block executable content from email client and webmail** has the following separate descriptions, depending on which application you use: +> The rule **Block executable content from email client and webmail** has the following alternative descriptions, depending on which application you use: - > Intune (Configuration Profiles): Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions). - > Endpoint Manager: Block executable content download from email and webmail clients. - > Group Policy: Block executable content from email client and webmail. From 6e2c901c5414c3baa394adf0fd5d01bcd1226dfc Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 5 Jan 2021 11:23:05 -0800 Subject: [PATCH 08/10] Update windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/attack-surface-reduction.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 212256ae38..6224bb44dc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -245,9 +245,9 @@ GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` > [!NOTE] > The rule **Block executable content from email client and webmail** has the following alternative descriptions, depending on which application you use: -- > Intune (Configuration Profiles): Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions). -- > Endpoint Manager: Block executable content download from email and webmail clients. -- > Group Policy: Block executable content from email client and webmail. +> - Intune (Configuration Profiles): Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions). +> - Endpoint Manager: Block executable content download from email and webmail clients. +> - Group Policy: Block executable content from email client and webmail. ### Block executable files from running unless they meet a prevalence, age, or trusted list criterion From da5b55e02a6238dae3042b348ec186ffe45932ad Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 8 Jan 2021 10:36:11 -0800 Subject: [PATCH 09/10] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 6224bb44dc..822248f510 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -14,7 +14,7 @@ ms.author: deniseb ms.reviewer: sugamar, jcedola manager: dansimp ms.custom: asr -ms.date: 12/10/2020 +ms.date: 01/08/2021 --- # Use attack surface reduction rules to prevent malware infection From 34939f9bc55c5f9880bd01b93d3d635137b1508c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 8 Jan 2021 10:36:45 -0800 Subject: [PATCH 10/10] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 822248f510..bc606abd44 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -468,4 +468,4 @@ GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35` - [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) -- [Compatibility of Microsoft Defender with other antivirus/antimalware](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md) +- [Compatibility of Microsoft Defender Antivirus with other antivirus/antimalware solutions](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md)