--- title: Use Attack Surface Reduction rules to prevent malware infection description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localizationpriority: medium author: iaanw ms.author: iawilt --- # Reduce attack surfaces with Windows Defender Exploit Guard **Applies to:** - Windows 10 Insider Preview **Audience** - Enterprise security administrators **Manageability available with** - Group Policy - PowerShell - Configuration service providers for mobile device management Attack Surface Reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Attack Surface Reduction works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection). The feature is comprised of a number of rules, each of which target specific behaviors that are typically used by malware and malicious apps to infect machines, such as: - Executable files and scripts used in Office apps or web mail that attempt to download or run files - Scripts that are obfuscated or otherwise suspicious - Behaviors that apps undertake that are not usually inititated during normal day-to-day work When a rule is triggered, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Attack Surface Reduction would impact your organization if it were enabled. ## Requirements The following requirements must be met before Attack Surface Reduction will work: Windows 10 version | Windows Defender Antivirus - | - Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled ## Review Attack Surface Reduction events in Windows Event Viewer You can review the Windows event log to see events there are created when an Attack Surface Reduction rule is triggered: 1. Download the [Exploit Guard Evaluation Package](#) and extract the file *asr-events.xml* to an easily accessible location on the machine. 1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. 2. On the left panel, under **Actions**, click **Import custom view...** 3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [download the XML directly](scripts/asr-events.xml). 4. Click **OK**. 5. This will create a custom view that filters to only show the following events related to Attack Surface Reduction: Event ID | Description -|- 5007 | Event when settings are changed 1122 | Event when rule fires in Audit-mode 1121 | Event when rule fires in Block-mode ### Event fields - **ID**: matches with the Rule-ID that triggered the block/audit. - **Detection time**: Time of detection - **Process Name**: The process that performed the “operation” that was blocked/audited - **Description**: Additional details about the event or audit, including the signature, engine, and product version of Windows Defender Antivirus ## In this section Topic | Description ---|--- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how the feature works, and what events would typically be created. [Enable Attack Surface Reduction](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Attack Surface Reduction in your network. [Customize Attack Surface Reduction](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by Attack Surface Reduction and customize the notification that appears on a user's machine when a rule blocks an app or file.