deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
Liza Poggemeyer d9d1fedbe6 fixed loc priority
2018-06-27 16:58:05 -07:00

136 lines
6.9 KiB
Markdown
Raw Blame History

---
title: See how Exploit protection works in a demo
description: See how Exploit protection can prevent suspicious behaviors from occurring on specific apps.
keywords: Exploit protection, exploits, kernel, events, evaluate, demo, try, mitigiation
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
---
# Evaluate Exploit protection
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in Exploit protection.
This topcs helps you evaluate Exploit protection. See the [Exploit protection topic](exploit-protection-exploit-guard.md) for more information on what Exploit protection does and how to configure it for real-world deployment.
>[!NOTE]
>This topic uses PowerShell cmdlets to make it easy to enable the feature and test it.
>For instructions on how to use Group Policy and Mobile Device Management (MDM to deploy these settings across your network, see the main [Exploit protection topic](exploit-protection-exploit-guard.md) .
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
## Enable and validate an Exploit protection mitigation
For this demo you will enable the mitigation that prevents child processes from being created. You'll use Internet Explorer as the parent app.
First, enable the mitigation using PowerShell, and then confirm that it has been applied in the Windows Defender Security Center app:
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
Set-ProcessMitigation -Name iexplore.exe -Enable DisallowChildProcessCreation
```
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen.
3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
4. Find the **Do not allow child processes** setting and make sure that **Override System settings** is enabled and the switch is set to **On**.
Now that you know the mitigation has been enabled, you can test to see if it works and what the experience would be for an end user:
1. Type **run** in the Start menu and press **Enter** to open the run dialog box.
2. Type **iexplore.exe** and press **Enter** or click **OK** to attempt to open Internet Explorer.
3. Internet Explorer should briefly open and then immediately shut down again, indicating that the mitigation was applied and prevented Internet Explorer from opening a child process (its own process).
Lastly, we can disable the mitigation so that Internet Explorer works properly again:
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen.
3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
4. Find the **Do not allow child processes** setting and set the switch to **Off**. Click **Apply**
5. Validate that Internet Explorer runs by running it from the run dialog box again. It should open as expected.
## Review Exploit protection events in Windows Event Viewer
You can now review the events that Exploit protection sent to the Windows Event log to confirm what happened. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events).
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine.
2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
3. On the left panel, under **Actions**, click **Import custom view...**
4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Exploit protection, which are all listed in the [Exploit protection](exploit-protection-exploit-guard.md) topic.
6. The specific event to look for in this demo is event ID 4, which should have the following or similar information:
Process '\Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe' (PID 4692) was blocked from creating a child process 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' with command line '"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4692 CREDAT:75009 /prefetch:2'.
## Use audit mode to measure impact
As with other Windows Defender EG features, you can enable Exploit protection in audit mode. You can enable audit mode for individual mitigations.
This lets you see a record of what *would* have happened if you had enabled the mitigation.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious or malicious events generally occur over a certain period.
See the [**PowerShell reference** section in the Customize Exploit protection topic](customize-exploit-protection.md#powershell-reference) for a list of which mitigations can be audited and instructions on enabling the mode.
For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
## Related topics
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
- [Enable Exploit protection](enable-exploit-protection.md)
- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
Reference in New Issue View Git Blame Copy Permalink