Fejlfinding i forbindelse med afhjælpning af udnyttelsesbeskyttelse
Gælder for:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
Vil du opleve Defender for Endpoint? Tilmeld dig en gratis prøveversion.
Når du opretter et sæt udnyttelsesbeskyttelsesmitigeringer (kendt som en konfiguration), kan du opleve, at konfigurationseksport- og importprocessen ikke fjerner alle uønskede afhjælpninger.
Du kan fjerne uønskede afhjælpninger manuelt i Windows Sikkerhed, eller du kan bruge følgende proces til at fjerne alle afhjælpninger og derefter importere en fil med oprindelig konfiguration i stedet.
Fjern alle procesmitigeringer med dette PowerShell-script:
# Check if Admin-Privileges are available function Test-IsAdmin { ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") } # Delete ExploitGuard ProcessMitigations for a given key in the registry. If no other settings exist under the specified key, # the key is deleted as well function Remove-ProcessMitigations([Object] $Key, [string] $Name) { Try { if ($Key.GetValue("MitigationOptions")) { Write-Host "Removing MitigationOptions for: " $Name Remove-ItemProperty -Path $Key.PSPath -Name "MitigationOptions" -ErrorAction Stop; } if ($Key.GetValue("MitigationAuditOptions")) { Write-Host "Removing MitigationAuditOptions for: " $Name Remove-ItemProperty -Path $Key.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop; } if ($Key.GetValue("EAFModules")) { Write-Host "Removing EAFModules for: " $Name Remove-ItemProperty -Path $Key.PSPath -Name "EAFModules" -ErrorAction Stop; } # Remove the FilterFullPath value if there is nothing else if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 1) -and ($Key.GetValue("FilterFullPath"))) { Remove-ItemProperty -Path $Key.PSPath -Name "FilterFullPath" -ErrorAction Stop; } # If the key is empty now, delete it if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 0)) { Write-Host "Removing empty Entry: " $Name Remove-Item -Path $Key.PSPath -ErrorAction Stop } } Catch { Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)" } } # Delete all ExploitGuard ProcessMitigations function Remove-All-ProcessMitigations { if (!(Test-IsAdmin)) { throw "ERROR: No Administrator-Privileges detected!"; return } Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | ForEach-Object { $MitigationItem = $_; $MitigationItemName = $MitigationItem.PSChildName Try { Remove-ProcessMitigations $MitigationItem $MitigationItemName # "UseFilter" indicate full path filters may be present if ($MitigationItem.GetValue("UseFilter")) { Get-ChildItem -Path $MitigationItem.PSPath | ForEach-Object { $FullPathItem = $_ if ($FullPathItem.GetValue("FilterFullPath")) { $Name = $MitigationItemName + "-" + $FullPathItem.GetValue("FilterFullPath") Write-Host "Removing FullPathEntry: " $Name Remove-ProcessMitigations $FullPathItem $Name } # If there are no subkeys now, we can delete the "UseFilter" value if ($MitigationItem.SubKeyCount -eq 0) { Remove-ItemProperty -Path $MitigationItem.PSPath -Name "UseFilter" -ErrorAction Stop } } } if (($MitigationItem.SubKeyCount -eq 0) -and ($MitigationItem.ValueCount -eq 0)) { Write-Host "Removing empty Entry: " $MitigationItemName Remove-Item -Path $MitigationItem.PSPath -ErrorAction Stop } } Catch { Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)" } } } # Delete all ExploitGuard System-wide Mitigations function Remove-All-SystemMitigations { if (!(Test-IsAdmin)) { throw "ERROR: No Administrator-Privileges detected!"; return } $Kernel = Get-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" Try { if ($Kernel.GetValue("MitigationOptions")) { Write-Host "Removing System MitigationOptions" Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationOptions" -ErrorAction Stop; } if ($Kernel.GetValue("MitigationAuditOptions")) { Write-Host "Removing System MitigationAuditOptions" Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop; } } Catch { Write-Host "ERROR:" $_.Exception.Message "- System" } } Remove-All-ProcessMitigations Remove-All-SystemMitigationsCreate og importér en XML-konfigurationsfil med følgende standardmitigeringer, som beskrevet i Importér, eksportér og udrul Konfigurationer af Exploit Protection:
<?xml version="1.0" encoding="UTF-8"?> <root> <SystemConfig/> <AppConfig Executable="ExtExport.exe"> <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/> </AppConfig> <AppConfig Executable="ie4uinit.exe"> <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/> </AppConfig> <AppConfig Executable="ieinstal.exe"> <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/> </AppConfig> <AppConfig Executable="ielowutil.exe"> <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/> </AppConfig> <AppConfig Executable="ieUnatt.exe"> <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/> </AppConfig> <AppConfig Executable="iexplore.exe"> <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/> </AppConfig> <AppConfig Executable="mscorsvw.exe"> <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/> </AppConfig> <AppConfig Executable="msfeedssync.exe"> <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/> </AppConfig> <AppConfig Executable="mshta.exe"> <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/> </AppConfig> <AppConfig Executable="ngen.exe"> <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/> </AppConfig> <AppConfig Executable="ngentask.exe"> <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/> </AppConfig> <AppConfig Executable="PresentationHost.exe"> <DEP Enable="true" OverrideDEP="false" EmulateAtlThunks="false"/> <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true" OverrideBottomUp="false" HighEntropy="true" BottomUp="true"/> <SEHOP Enable="true" OverrideSEHOP="false" TelemetryOnly="false"/> <Heap OverrideHeap="false" TerminateOnError="true"/> </AppConfig> <AppConfig Executable="PrintDialog.exe"> <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/> </AppConfig> <AppConfig Executable="PrintIsolationHost.exe"/> <AppConfig Executable="runtimebroker.exe"> <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/> </AppConfig> <AppConfig Executable="splwow64.exe"/> <AppConfig Executable="spoolsv.exe"/> <AppConfig Executable="svchost.exe"/> <AppConfig Executable="SystemSettings.exe"> <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/> </AppConfig> </root>
Hvis du ikke allerede har brugt den, er det en god ide at downloade og bruge Windows Sikkerhed Baselines til at fuldføre tilpasningen Af udnyttelsesbeskyttelse.
Relaterede emner
- Beskyt enheder mod misbrug
- Evaluer beskyttelse mod udnyttelse
- Aktivér Exploit Protection
- Konfigurer og overvåg afhjælpninger Med Exploit Protection
- Importer, eksporter og implementer konfigurationer af Exploit Protection
Tip
Vil du vide mere? Engage med Microsoft Security-community'et i vores tech-community: Microsoft Defender for Endpoint Tech Community.
Feedback
Kommer snart: I hele 2024 udfaser vi GitHub-problemer som feedbackmekanisme for indhold og erstatter det med et nyt feedbacksystem. Du kan få flere oplysninger under: https://aka.ms/ContentUserFeedback.
Indsend og få vist feedback om