windows-itpro-docs/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md

title, description, keywords, search.product, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, localizationpriority, author, ms.author

title	description	keywords	search.product	ms.pagetype	ms.prod	ms.mktglfcycl	ms.sitesec	ms.pagetype	localizationpriority	author	ms.author
Use Attack Surface Reduction rules to prevent malware infection	ASR rules can help prevent exploits from using apps and scripts to infect machines with malware	Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention	eADQiWindows 10XVcnh	security	w10	manage	library	security	medium	iaanw	iawilt

Reduce attack surfaces with Windows Defender Exploit Guard

Applies to:

• Windows 10 Insider Preview

Audience

• Enterprise security administrators

Manageability available with

• Group Policy
• PowerShell
• Configuration service providers for mobile device management

Attack Surface Reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.

It is part of Windows Defender Exploit Guard.

Attack Surface Reduction works best with Windows Defender Advanced Threat Protection - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual alert investigation scenarios.

The feature is comprised of a number of rules, each of which target specific behaviors that are typically used by malware and malicious apps to infect machines, such as:

• Executable files and scripts used in Office apps or web mail that attempt to download or run files
• Scripts that are obfuscated or otherwise suspicious
• Behaviors that apps undertake that are not usually inititated during normal day-to-day work

When a rule is triggered, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.

You can also use audit mode to evaluate how Attack Surface Reduction would impact your organization if it were enabled.

Requirements

The following requirements must be met before Attack Surface Reduction will work:

Windows 10 version | Windows Defender Antivirus

• | - Insider Preview build 16232 or later (dated July 1, 2017 or later) | Windows Defender AV real-time protection and cloud-delivered protection must be enabled

Review Attack Surface Reduction events in Windows Event Viewer

You can review the Windows event log to see events there are created when an Attack Surface Reduction rule is triggered:

1. Download the Exploit Guard Evaluation Package and extract the file asr-events.xml to an easily accessible location on the machine.

2. Type Event viewer in the Start menu to open the Windows Event Viewer.

3. On the left panel, under Actions, click Import custom view...

4. Navigate to the Exploit Guard Evaluation Package, and select the file asr-events.xml. Alternatively, download the XML directly.

5. Click OK.

6. This will create a custom view that filters to only show the following events related to Attack Surface Reduction:

Event ID	Description
5007	Event when settings are changed
1122	Event when rule fires in Audit-mode
1121	Event when rule fires in Block-mode

Event fields

• ID: matches with the Rule-ID that triggered the block/audit.
• Detection time: Time of detection
• Process Name: The process that performed the <20>operation<6F> that was blocked/audited
• Description: Additional details about the event or audit, including the signature, engine, and product version of Windows Defender Antivirus

In this section

Topic	Description
Evaluate Attack Surface Reduction	Use a tool to see a number of scenarios that demonstrate how the feature works, and what events would typically be created.
Enable Attack Surface Reduction	Use Group Policy, PowerShell, or MDM CSPs to enable and manage Attack Surface Reduction in your network.
Customize Attack Surface Reduction	Exclude specified files and folders from being evaluated by Attack Surface Reduction and customize the notification that appears on a user's machine when a rule blocks an app or file.