deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-17 19:33:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
a494f986942802d2bc6152bccb20681c760c3b1c
windows-itpro-docs/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
Andrea Bichsel (Aquent LLC) 5e87bf8ce3 Added new beta rule
2018-07-30 18:54:38 +00:00

8.2 KiB
Raw Blame History

title, description, keywords, search.product, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.localizationpriority, author, ms.author, ms.date
title description keywords search.product ms.pagetype ms.prod ms.mktglfcycl ms.sitesec ms.pagetype ms.localizationpriority author ms.author ms.date
Configure how ASR works to finetune protection in your network You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude eADQiWindows 10XVcnh security w10 manage library security medium andreabichsel v-anbic 07/30/2018

Customize Attack surface reduction

Applies to:

  • Windows 10 Enterprise edition, version 1709 and later
  • Windows Server 2016

Audience

  • Enterprise security administrators

Manageability available with

  • Windows Defender Security Center app
  • Group Policy
  • PowerShell
  • Configuration service providers for mobile device management

Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.

This topic describes how to customize Attack surface reduction by excluding files and folders or adding custom text to the notification alert that appears on a user's computer.

You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.

Exclude files and folders

You can exclude files and folders from being evaluated by most Attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an Attack surface reduction rule, the file will not be blocked from running.

This could potentially allow unsafe files to run and infect your devices.

Warning

Excluding files or folders can severely reduce the protection provided by Attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.

If you are encountering problems with rules detecting files that you believe should not be detected, you should use audit mode first to test the rule.

You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode) and that allow exclusions.

Windows 10, version 1803 supports environment variables and wildcards. For information about using wildcards in Windows Defender Exploit Guard, see Use wildcards in the file name and folder path or extension exclusion lists.

Exclusions will only be applied to certain rules. Some rules will not honor the exclusion list. This means that even if you have added a file to the exclusion list, some rules will still evaluate and potentially block that file if the rule determines the file to be unsafe.

Important

Rules that do not honor the exclusion list will not exclude folders or files added in the exclusion list. All files will be evaluated and potentially blocked by rules that do not honor the exclusion list (indicated with a red X in the following table).

Rule description Rule honors exclusions GUID
Block Office applications from creating child processes [!includeCheck mark yes] D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block execution of potentially obfuscated scripts [!includeCheck mark yes] 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 API calls from Office macro [!includeCheck mark yes] 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
Block Office applications from creating executable content [!includeCheck mark yes] 3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting code into other processes [!includeCheck mark no] 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Block JavaScript or VBScript from launching downloaded executable content [!includeCheck mark no] D3E037E1-3EB8-44C8-A917-57927947596D
Block executable content from email client and webmail [!includeCheck mark no] BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block executable files from running unless they meet a prevalence, age, or trusted list criteria [!includeCheck mark yes] 01443614-cd74-433a-b99e-2ecdc07bfc25
Use advanced protection against ransomware [!includeCheck mark yes] c1db55ab-c21a-4637-bb3f-a12568109d35
Block credential stealing from the Windows local security authority subsystem (lsass.exe) [!includeCheck mark no] 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands [!includeCheck mark yes] d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB [!includeCheck mark yes] b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes (available for beta testing) [!includeCheck mark yes] 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes (available for beta testing) [!includeCheck mark yes] 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c

See the Attack surface reduction topic for details on each rule.

Use Group Policy to exclude files and folders

  1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.

  2. In the Group Policy Management Editor go to Computer configuration and click Administrative templates.

  3. Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction.

  4. Double-click the Exclude files and paths from Attack surface reduction Rules setting and set the option to Enabled. Click Show and enter each file or folder in the Value name column. Enter 0 in the Value column for each item.

Use PowerShell to exclude files and folderss

  1. Type powershell in the Start menu, right click Windows PowerShell and click Run as administrator

  2. Enter the following cmdlet:

    Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<fully qualified path or resource>"

Continue to use Add-MpPreference -AttackSurfaceReductionOnlyExclusions to add more folders to the list.

Important

Use Add-MpPreference to append or add apps to the list. Using the Set-MpPreference cmdlet will overwrite the existing list.

Use MDM CSPs to exclude files and folders

Use the ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions configuration service provider (CSP) to add exclusions.

Customize the notification

See the Windows Defender Security Center topic for more information about customizing the notification when a rule is triggered and blocks an app or file.

Related topics