Applies to:
Exploit protection helps protect against malware that uses exploits to infect devices and spread. Exploit protection consists of many mitigations that can be applied to either the operating system or individual apps.
Important
.NET 2.0 is not compatible with some exploit protection capabilities, specifically, Export Address Filtering (EAF) and Import Address Filtering (IAF). If you have enabled .NET 2.0, usage of EAF and IAF are not supported.
Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
PrerequisitesThis section includes recommendations for you to be successful with deploying exploit protection.
Set up monitoring for application crashes (Event ID 1000 and/or Event ID 1001) and/or hangs (Event ID 1002)
Enable full user mode dump collection
Check to see which applications are already compiled with "Control Flow Guard" (CFG) which primarily focus on mitigating memory corruption vulnerabilities. Use dumpbin tool to see if it's compiled w/ CFG. For these applications, you could skip enabling enforcement for DEP, ASRL, SEHOP, and ACG.
Use safe deployment practices.
Warning
If you do not test and do not go through safe deployment practices, you could contribute to end-user productivity outages.
Safe deployment practicesSafe deployment practices (SDP): Safe deployment processes and procedures define how to safely make and deploy changes to your workload. Implementing SDP requires you to think about deployments through the lens of managing risk. You can minimize the risk of end-user productivity outages in your deployments and limit the effects of problematic deployments on your users by implementing SDP.
Start out with a small set (for example, 10 to 50) of Windows devices and use that as your test environment to see which of the 21 mitigations, are incompatible with exploit protection. Remove the mitigations that aren't compatible with the application. Reiterate with the applications that you're targeting. Once you feel that the policy is ready for production.
Start out by pushing first to User Acceptance Testing (UAT) comprised of the IT administrators, Security administrators and help desk personnel. Then to 1%, 5%, 10%, 25%, 50%, 75%, and finally to 100% of your environment.
Enabling exploit protection mitigationsYou can enable each mitigation separately by using any of these methods:
Exploit protection is configured by default in Windows 10 and Windows 11. You can set each mitigation to on, off, or to its default value. Some mitigations have more options. You can export these settings as an XML file and deploy them to other devices.
You can also set mitigations to audit mode. Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the device.
Windows Security appOpen the Windows Security app by either selecting the shield icon in your task bar, or by searching the Start menu for Security.
Select the App & browser control tile (or the app icon on the left menu bar) and then select Exploit protection settings.
Go to Program settings and choose the app you want to apply mitigations to.
After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing Audit applies the mitigation in audit mode only. You're notified if you need to restart the process or app, or if you need to restart Windows.
Repeat steps 3-4 for all the apps and mitigations you want to configure.
Under the System settings section, find the mitigation you want to configure and then specify one of the following settings. Apps that aren't configured individually in the Program settings section use the settings that are configured here.
Repeat step 6 for all the system-level mitigations you want to configure. Select Apply when you're done setting up your configuration.
If you add an app to the Program settings section and configure individual mitigation settings there, they are honored above the configuration for the same mitigations specified in the System settings section. The following matrix and examples help to illustrate how defaults work:
Enabled in Program settings Enabled in System settings Behavior Yes No As defined in Program settings Yes Yes As defined in Program settings No Yes As defined in System settings No No Default as defined in Use default option Example 1: Mikael configures Data Execution Prevention in system settings section to be off by defaultMikael adds the app test.exe to the Program settings section. In the options for that app, under Data Execution Prevention (DEP), Mikael enables the Override system settings option and sets the switch to On. There are no other apps listed in the Program settings section.
The result is that DEP is enabled only for test.exe. All other apps won't have DEP applied.
Example 2: Josie configures Data Execution Prevention in system settings to be off by defaultJosie adds the app test.exe to the Program settings section. In the options for that app, under Data Execution Prevention (DEP), Josie enables the Override system settings option and sets the switch to On.
Josie also adds the app miles.exe to the Program settings section and configures Control flow guard (CFG) to On. Josie doesn't enable the Override system settings option for DEP or any other mitigations for that app.
The result is that DEP is enabled for test.exe. DEP won't be enabled for any other app, including miles.exe. CFG will be enabled for miles.exe.
Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for Windows Security.
Select the App & browser control tile (or the app icon on the left menu bar) and then select Exploit protection.
Go to Program settings and choose the app you want to apply mitigations to.
After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing Audit applies the mitigation in audit mode only. You're notified if you need to restart the process or app, or if you need to restart Windows.
Repeat steps 3-4 for all the apps and mitigations you want to configure. Select Apply when you're done setting up your configuration.
Sign in to the Azure portal and open Intune.
Go to Device configuration > Configuration Profiles > Create profile.
Name the profile, choose Windows 10 and later, select templates for Profile type and choose Endpoint protection under template name.
Select Configure > Windows Defender Exploit Guard > Exploit protection.
Upload an XML file with the exploit protection settings:
Select OK to save each open blade, and then choose Create.
Select the profile Assignments tab, assign the policy to All Users & All Devices, and then select Save.
Use the ./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings configuration service provider (CSP) to enable or disable exploit protection mitigations or to use audit mode.
Microsoft Configuration Manager Endpoint SecurityIn Microsoft Configuration Manager, go to Endpoint Security > Attack surface reduction.
Select Create Policy > Platform, and for Profile, choose Exploit Protection. Then select Create.
Specify a name and a description, and then choose Next.
Choose Select XML File and browse to the location of the exploit protection XML file. Select the file, and then choose Next.
Configure Scope tags and Assignments if necessary.
Under Review + create, review your configuration settings, and then choose Create.
In Microsoft Configuration Manager, go to Assets and Compliance > Endpoint Protection > Windows Defender Exploit Guard.
Select Home > Create Exploit Guard Policy.
Specify a name and a description, select Exploit protection, and then choose Next.
Browse to the location of the exploit protection XML file and select Next.
Review the settings, and then choose Next to create the policy.
After the policy is created, select Close.
On your Group Policy management device, open the Group Policy Management Console. Right-click the Group Policy Object you want to configure and select Edit.
In the Group Policy Management Editor, go to Computer configuration and select Administrative templates.
Expand the tree to Windows components > Windows Defender Exploit Guard > Exploit Protection > Use a common set of exploit protection settings.
Select Enabled and type the location of the XML file, and then choose OK.
You can use the PowerShell verb Get or Set with the cmdlet ProcessMitigation. Using Get lists the current configuration status of any mitigations that are enabled on the device. Add the -Name cmdlet and app exe to see mitigations for just that app:
Get-ProcessMitigation -Name processName.exe
Important
System-level mitigations that have not been configured will show a status of NOTSET.
NOTSET indicates the default setting for that mitigation has been applied.NOTSET indicates the system-level setting for the mitigation will be applied. The default setting for each system-level mitigation can be seen in the Windows Security.Use Set to configure each mitigation in the following format:
Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,<mitigation or options>
Where:
-Name to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
-System to indicate the mitigation should be applied at the system level-Enable to enable the mitigation-Disable to disable the mitigationFor example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called testing.exe in the folder C:\Apps\LOB\tests, and to prevent that executable from creating child processes, you'd use the following command:
Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation
Important
Separate each mitigation option with commas.
If you wanted to apply DEP at the system level, you'd use the following command:
Set-Processmitigation -System -Enable DEP
To disable mitigations, you can replace -Enable with -Disable. However, for app-level mitigations, this action forces the mitigation to be disabled only for that app.
If you need to restore the mitigation back to the system default, you need to include the -Remove cmdlet as well, as in the following example:
Set-Processmitigation -Name test.exe -Remove -Disable DEP
The following table lists the individual Mitigations (and Audits, when available) to be used with the -Enable or -Disable cmdlet parameters.
CFG, StrictCFG, SuppressExports Audit not available Data Execution Prevention (DEP) System and app-level DEP, EmulateAtlThunks Audit not available Force randomization for images (Mandatory ASLR) System and app-level ForceRelocateImages Audit not available Randomize memory allocations (Bottom-Up ASLR) System and app-level BottomUp, HighEntropy Audit not available Validate exception chains (SEHOP) System and app-level SEHOP, SEHOPTelemetry Audit not available Validate heap integrity System and app-level TerminateOnError Audit not available Arbitrary code guard (ACG) App-level only DynamicCode AuditDynamicCode Block low integrity images App-level only BlockLowLabel AuditImageLoad Block remote images App-level only BlockRemoteImages Audit not available Block untrusted fonts App-level only DisableNonSystemFonts AuditFont, FontAuditOnly Code integrity guard App-level only BlockNonMicrosoftSigned, AllowStoreSigned AuditMicrosoftSigned, AuditStoreSigned Disable extension points App-level only ExtensionPoint Audit not available Disable Win32k system calls App-level only DisableWin32kSystemCalls AuditSystemCall Don't allow child processes App-level only DisallowChildProcessCreation AuditChildProcess Export address filtering (EAF) App-level only EnableExportAddressFilterPlus, EnableExportAddressFilter [1] Audit not available [2] Import address filtering (IAF) App-level only EnableImportAddressFilter Audit not available [2] Simulate execution (SimExec) App-level only EnableRopSimExec Audit not available [2] Validate API invocation (CallerCheck) App-level only EnableRopCallerCheck Audit not available [2] Validate handle usage App-level only StrictHandle Audit not available Validate image dependency integrity App-level only EnforceModuleDepencySigning Audit not available Validate stack integrity (StackPivot) App-level only EnableRopStackPivot Audit not available [2]
[1]: Use the following format to enable EAF modules for DLLs for a process:
Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
[2]: Audit for this mitigation isn't available via PowerShell cmdlets.
Customize the notificationFor information about customizing the notification when a rule is triggered and an app or file is blocked, see Windows Security.
Removing the exploit protection mitigationsTo reset (undo or remove) the exploit protection mitigations, see the Exploit protection reference.
See alsoRetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4