--- title: See how Exploit protection works in a demo description: See how Exploit Protection can prevent suspicious behaviors from occurring on specific apps. keywords: Exploit protection, exploits, kernel, events, evaluate, demo, try, mitigation search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro author: denisebmsft ms.author: deniseb ms.date: 01/06/2021 ms.reviewer: manager: dansimp ms.technology: mde --- # Evaluate exploit protection [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink) [Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices. Mitigation can be applied to either the operating system or to an individual app. Many of the features that were part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. (The EMET has reached its end of support.) In audit, you can see how mitigation works for certain apps in a test environment. This shows what *would* have happened if you enabled exploit protection in your production environment. This way, you can verify that exploit protection doesn't adversely affect your line-of-business apps, and see which suspicious or malicious events occur. > [!TIP] > You can also visit the Microsoft Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works. ## Enable exploit protection for testing You can set mitigations in a testing mode for specific programs by using the Windows Security app or Windows PowerShell. ### Windows Security app 1. Open the Windows Security app. Select the shield icon in the task bar or search the start menu for **Defender**. 2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection**. 3. Go to **Program settings** and choose the app you want to apply protection to: 1. If the app you want to configure is already listed, select it and then select **Edit** 2. If the app is not listed at the top of the list select **Add program to customize**. Then, choose how you want to add the app. - Use **Add by program name** to have the mitigation applied to any running process with that name. Specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You'll be notified if you need to restart the process, app, or Windows. 5. Repeat this procedure for all the apps and mitigations you want to configure. Select **Apply** when you're done setting up your configuration. ### PowerShell To set app-level mitigations to audit mode, use `Set-ProcessMitigation` with the **Audit mode** cmdlet. Configure each mitigation in the following format: ```PowerShell Set-ProcessMitigation - - ,, ``` Where: ``` * \: * `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag. * \: * `-Enable` to enable the mitigation * `-Disable` to disable the mitigation * \: * The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma. ``` |Mitigation | Audit mode cmdlet | |---|---| |Arbitrary Code Guard (ACG) | `AuditDynamicCode` | |Block low integrity images | `AuditImageLoad` |Block untrusted fonts | `AuditFont`, `FontAuditOnly` | |Code integrity guard | `AuditMicrosoftSigned`, `AuditStoreSigned` | |Disable Win32k system calls | `AuditSystemCall` | |Do not allow child processes | `AuditChildProcess` | For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named *testing.exe*, run the following command: ```PowerShell Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode ``` You can disable **audit mode** by replacing `-Enable` with `-Disable`. ## Review exploit protection audit events To review which apps would have been blocked, open Event Viewer and filter for the following events in the Security-Mitigations log. | Feature | Provider/source | Event ID | Description | |---|---|--|---| | Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit | | Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit | | Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit | | Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit | | Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit | | Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit | ## See also - [Enable exploit protection](enable-exploit-protection.md) - [Configure and audit exploit protection mitigations](customize-exploit-protection.md) - [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) - [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)