Windows 10: Windows Defender Exploit Guard-Exploit Protection

Applies to:

Windows Server 2019

Windows 10 1809

Windows 10 1803

Windows 10 1709

Security Administrators, if you had not heard about Enhanced Mitigation Experience Toolkit (EMET), it was a preventive tool for 0 day attacks.

The replacement in Windows 10 1709 or later and Windows Server 2019 is called "Windows Defender Exploit Guard: Exploit Protection”.

A frequently asked question is, for Windows Defender Exploit Guard: Exploit Protection, do I need Windows Defender Antivirus (WD AV)?

The answer is no, you don’t need WD AV, but the other 3 components of Windows Defender Exploit Guard do require WD AV.

[What is Windows Defender Exploit Guard - Exploit Protection?]

    Moving Beyond EMET
     https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/

    Moving Beyond EMET II – Windows Defender Exploit Guard
     https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/

    Windows Defender Exploit Guard
     https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard

[So why Windows Defender Exploit Guard: Exploit Protection?]

If you have been keeping up with Internet Explorer 0 day vulnerabilities that had come up maybe two times a year, security tools such as EMET had stopped these on their track.

"Exploit Protection" is here to do the same type of work.

Here are some nice blog posts that go over the details of the mitigations that Windows Defender Exploit Guard: Exploit Protection stops:
The Impact of Security Science in Protecting Customers
     https://cloudblogs.microsoft.com/microsoftsecure/2013/07/25/the-impact-of-security-science-in-protecting-customers/

    Software Defense: mitigating heap corruption vulnerabilities
     https://blogs.technet.microsoft.com/srd/2013/10/29/software-defense-mitigating-heap-corruption-vulnerabilities/

    Software Defense Series: Exploit mitigation and vulnerability detection
     https://blogs.technet.microsoft.com/srd/2013/09/27/software-defense-series-exploit-mitigation-and-vulnerability-detection/

    Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP
     https://blogs.technet.microsoft.com/srd/2009/02/02/preventing-the-exploitation-of-structured-exception-handler-seh-overwrites-with-sehop/

    Preventing the exploitation of user mode heap corruption vulnerabilities
     https://blogs.technet.microsoft.com/srd/2009/08/04/preventing-the-exploitation-of-user-mode-heap-corruption-vulnerabilities/

    Clarifying the behavior of mandatory ASLR
https://blogs.technet.microsoft.com/srd/2017/11/21/clarifying-the-behavior-of-mandatory-aslr/

[Test / Deploy WD Exploit Guard: Exploit Protection]

Windows Defender Antivirus & Exploit Guard protection evaluation guide

https://www.microsoft.com/en-us/download/details.aspx?id=54795

TIP 1: Just like EMET, you want to add the exclusions to the mitigations that aren’t compatible with 3rd party application as described in:

2909257 EMET mitigations guidelines
https://support.microsoft.com/?id=2909257

TIP 2: Just like EMET, you are better off ‘turning off 1 or 2 or 3 mitigations’ for application compatibility reasons, rather than turning off all mitigations that Windows Defender Exploit Guard: Exploit Protection offers.

TIP 3: I would highly recommend you to set it to audit mode for 1 month or so, and see if there are compatibility warnings for your line of business applications.

List of ‘attack surface reduction’ events such as for WD EG EP:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard#list-of-attack-surface-reduction-events

Use “custom views” to review in “Event Viewer” to review WD EG EP:

XML for exploit protection events
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard#xml-for-exploit-protection-events

Thanks,

Yong