deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-24 06:43:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
a685cfa876f711ba8e5465a9959ca94f20f5a891
windows-itpro-docs/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
Iaan D'Souza-Wiltshire 0f86c64fa3 update versioning, remove prelease tag
2017-10-16 19:47:14 -07:00

95 lines
4.0 KiB
Markdown
Raw Blame History

---
title: Configure how ASR works to finetune protection in your network
description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Customize Attack surface reduction
**Applies to:**
- Windows 10, version 1709
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
This topic describes how to customize Attack surface reduction by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
## Exclude files and folders
You can exclude files and folders from being evaluated by Attack surface reduction rules.
You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode).
### Use Group Policy to exclude files and folders
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**.
6. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
### Use PowerShell to exclude files and folderss
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<fully qualified path or resource>"
```
Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more folders to the list.
>[!IMPORTANT]
>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
### Use MDM CSPs to exclude files and folders
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
## Customize the notification
See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
## Related topics
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Enable Attack surface reduction](enable-attack-surface-reduction.md)
- [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md)
Reference in New Issue View Git Blame Copy Permalink