Windows 10: Windows Defender Exploit Guard-Attack Surface Reduction rules
Windows Server 2019
Windows 10 1809
Windows 10 1803
Windows 10 1709
Security Administrators, as we all know, we can’t keep end-users from clicking on phishing e-mails or downloading payloads that have malware. Windows Defender (WD) Exploit Guard (EG) – Attack Surface Reduction (ASR) rules to the rescue.
Windows Defender Exploit Guard: Attack Surface Reduction rules, do I need Windows Defender Antivirus (WD AV)?
The answer is yes, you need WD AV to be enabled.
[What is Windows Defender Exploit Guard – Attack Surface Reduction rules?]
Reduce attack surfaces with attack surface reduction rules
Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware
Security Updates from the Win10 Fall Creators Update
New attack surface reduction rules
[What does WD Exploit Guard: Attack Surface Reduction rules block against?]
- Block executable content from email client and webmail
- Block all Office applications from creating child processes
- Block Office applications from creating executable content
- Block Office applications from injecting code into other processes
- Block execution of potentially obfuscated scripts
Block Win32 API calls from Office macro
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion
- Use advanced protection against ransomware
- Block credential stealing from the Windows local security authority subsystem (lsass.exe)
- Block process creations originating from PSExec and WMI commands
- Block untrusted and unsigned processes that run from USB
- Block Office communication application from creating child processes
- Block Adobe Reader from creating child processes
[So why Windows Defender Exploit Guard: Attack Surface Reduction rules?]
Example of malware being neutralized by ASR: CVE-2017-8759 (a.k.a. WinBird or FinFisher; Exploit:RTF/Fitipol.A, Behavior:Win32/Fitipol.A, and Exploit:RTF/CVE-2017-8759)
Exploit for CVE-2017-8759 detected and neutralized- Protection with Windows Defender Exploit Guard
Example of malware being neutralized by ASR: Qakbot and Emotet.
Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks
Example of malware being neutralized by ASR: protect from emerging exploits like DDEDownloader, which has been used to distribute ransomware.
A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017
Example of malware being neutralized by ASR: emerging exploits like Coin mining malware.
Invisible resource thieves: The increasing threat of cryptocurrency miners
[Test / Deploy WD Exploit Guard: Attack Surface Reduction rules]
Recommendations for deploying the latest Attack surface reduction rules for maximum impact
TIP 1: Make sure that the WD AV Platform update, engine update, and definition updates are up to date.
Note: Normally taken care by Windows Update or WSUS or SCCM SUP.
TIP 2: I would highly recommend you to set it to audit mode for 1 month or so, and see if there are compatibility warnings for your line of business applications.
List of 'attack surface reduction' events such as for WD EG ASR rules:
Use 'custom views' to review in 'Event Viewer' to review WD EG ASR rules:
XML for attack surface reduction rule events
P.S. Related blog posts:
Windows 10/Windows Server 2016/Windows Server 2019 Antivirus (AV)
Windows 10: Windows Defender Exploit Guard-Exploit Protection
[Don’t confuse Windows Defender Exploit Guard - Attack Surface Reduction rules with:]
1) Microsoft Security Development Lifecycle (SDL) “Attack Surface Analysis” tool for developers when developing applications.
Back to the Future: Attack Surface Analysis and Reduction
Note: For developers, we have a new tool:
Microsoft Threat Modeling Tool
2) EMET’s Attack Surface Reduction, which:
"Provides a mechanism to help block specific modules or plug-ins within an application, in certain conditions. For example, customers can now configure EMET to prevent their browser from loading Java plug-ins on external websites, while still continuing to allow Java plug-ins on their internal company websites."
Managing IE Sites for EMET with ASR (Attack Surface Reduction)