mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-14 14:27:22 +00:00
119 lines
6.0 KiB
Markdown
119 lines
6.0 KiB
Markdown
---
|
|
title: See how exploit protection works in a demo
|
|
description: See how exploit protection can prevent suspicious behaviors from occurring on specific apps.
|
|
keywords: Exploit protection, exploits, kernel, events, evaluate, demo, try, mitigiation
|
|
search.product: eADQiWindows 10XVcnh
|
|
ms.pagetype: security
|
|
ms.prod: w10
|
|
ms.mktglfcycl: manage
|
|
ms.sitesec: library
|
|
ms.pagetype: security
|
|
ms.localizationpriority: medium
|
|
author: levinec
|
|
ms.author: ellevin
|
|
ms.date: 04/02/2019
|
|
ms.reviewer:
|
|
manager: dansimp
|
|
---
|
|
|
|
# Evaluate exploit protection
|
|
|
|
**Applies to:**
|
|
|
|
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
|
|
|
[Exploit protection](exploit-protection-exploit-guard.md) helps protect devices from malware that uses exploits to spread and infect other devices.
|
|
It consists of a number of mitigations that can be applied to either the operating system or an individual app.
|
|
Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection.
|
|
|
|
This topic helps you enable exploit protection in audit mode and review related events in Event Viewer.
|
|
You can enable audit mode for certain app-level mitigations to see how they will work in a test environment.
|
|
This lets you see a record of what *would* have happened if you had enabled the mitigation in production.
|
|
You can make sure it doesn't affect your line-of-business apps, and see which suspicious or malicious events occur.
|
|
|
|
>[!TIP]
|
|
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works.
|
|
|
|
## Enable exploit protection in audit mode
|
|
|
|
You can set mitigations in audit mode for specific programs either by using the Windows Security app or PowerShell.
|
|
|
|
### Windows Security app
|
|
|
|
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
|
|
|
|
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
|
|
|
|
3. Go to **Program settings** and choose the app you want to apply mitigations to:
|
|
|
|
1. If the app you want to configure is already listed, click it and then click **Edit**
|
|
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
|
|
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
|
|
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
|
|
|
|
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
|
|
|
|
5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
|
|
|
|
### PowerShell
|
|
|
|
To set app-level mitigations to audit mode, use `Set-ProcessMitigation` with the **Audit mode** cmdlet.
|
|
|
|
Configure each mitigation in the following format:
|
|
|
|
|
|
```PowerShell
|
|
Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,<mitigation or options>
|
|
```
|
|
|
|
Where:
|
|
|
|
- \<Scope>:
|
|
- `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
|
|
- \<Action>:
|
|
- `-Enable` to enable the mitigation
|
|
- `-Disable` to disable the mitigation
|
|
- \<Mitigation>:
|
|
- The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma.
|
|
|
|
| Mitigation | Audit mode cmdlet |
|
|
| - | - |
|
|
|Arbitrary code guard (ACG) | AuditDynamicCode |
|
|
|Block low integrity images | AuditImageLoad |
|
|
|Block untrusted fonts | AuditFont, FontAuditOnly |
|
|
|Code integrity guard | AuditMicrosoftSigned, AuditStoreSigned |
|
|
|Disable Win32k system calls | AuditSystemCall |
|
|
|Do not allow child processes | AuditChildProcess |
|
|
|
|
For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named *testing.exe*, run the following command:
|
|
|
|
```PowerShell
|
|
Set-ProcesMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
|
|
```
|
|
|
|
You can disable audit mode by replacing `-Enable` with `-Disable`.
|
|
|
|
## Review exploit protection audit events
|
|
|
|
To review which apps would have been blocked, open Event Viewer and filter for the following events in the Security-Mitigations log.
|
|
|
|
Feature | Provider/source | Event ID | Description
|
|
:-|:-|:-:|:-
|
|
Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit
|
|
Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit
|
|
Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit
|
|
Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit
|
|
Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit
|
|
Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit
|
|
|
|
## Related topics
|
|
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
|
|
- [Enable exploit protection](enable-exploit-protection.md)
|
|
- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
|
|
- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
|
|
- [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
|
|
- [Enable network protection](enable-network-protection.md)
|
|
- [Enable controlled folder access](enable-controlled-folders-exploit-guard.md)
|
|
- [Enable attack surface reduction](enable-attack-surface-reduction.md)
|
|
|