Protect devices from exploits

Applies to:

Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.

It is part of Windows Defender Exploit Guard. Exploit protection is supported on Windows 10, version 1709 and later and Windows Server 2016, version 1803 or later.

Tip

You can visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the feature is working and see how it works.

Exploit protection works best with Windows Defender Advanced Threat Protection - which gives you detailed reporting into exploit protection events and blocks as part of the usual alert investigation scenarios.

You configure these settings using the Windows Security app or PowerShell on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once.

When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.

You can also use audit mode to evaluate how exploit protection would impact your organization if it were enabled.

Many of the features in the Enhanced Mitigation Experience Toolkit (EMET) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10.

Important

If you are currently using EMET you should be aware that EMET reached end of life on July 31, 2018. You should consider replacing EMET with exploit protection in Windows 10. You can convert an existing EMET configuration file into exploit protection to make the migration easier and keep your existing settings.

Warning

Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using audit mode before deploying the configuration across a production environment or the rest of your network.

Review exploit protection events in Windows Event Viewer

You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app:

  1. Download the Exploit Guard Evaluation Package and extract the file ep-events.xml to an easily accessible location on the machine.

  2. Type Event viewer in the Start menu to open the Windows Event Viewer.

  3. On the left panel, under Actions, click Import custom view...

    Antimated GIF highlighting the import custom view button on the right pane

  4. Navigate to where you extracted ep-events.xml and select it. Alternatively, copy the XML directly.

  5. Click OK.

  6. This will create a custom view that filters to only show the following events related to Exploit protection:

Provider/source Event ID Description
Security-Mitigations 1 ACG audit
Security-Mitigations 2 ACG enforce
Security-Mitigations 3 Do not allow child processes audit
Security-Mitigations 4 Do not allow child processes block
Security-Mitigations 5 Block low integrity images audit
Security-Mitigations 6 Block low integrity images block
Security-Mitigations 7 Block remote images audit
Security-Mitigations 8 Block remote images block
Security-Mitigations 9 Disable win32k system calls audit
Security-Mitigations 10 Disable win32k system calls block
Security-Mitigations 11 Code integrity guard audit
Security-Mitigations 12 Code integrity guard block
Security-Mitigations 13 EAF audit
Security-Mitigations 14 EAF enforce
Security-Mitigations 15 EAF+ audit
Security-Mitigations 16 EAF+ enforce
Security-Mitigations 17 IAF audit
Security-Mitigations 18 IAF enforce
Security-Mitigations 19 ROP StackPivot audit
Security-Mitigations 20 ROP StackPivot enforce
Security-Mitigations 21 ROP CallerCheck audit
Security-Mitigations 22 ROP CallerCheck enforce
Security-Mitigations 23 ROP SimExec audit
Security-Mitigations 24 ROP SimExec enforce
WER-Diagnostics 5 CFG Block
Win32K 260 Untrusted Font

Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard

Important

If you are currently using EMET, you should be aware that EMET reached end of life on July 31, 2018. You should consider replacing EMET with exploit protection in Windows Defender ATP.

You can convert an existing EMET configuration file into exploit protection to make the migration easier and keep your existing settings.

This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Windows Defender ATP.

Exploit protection in Windows Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.

EMET is a standalone product for earlier versions of Windows and provides some mitigation against older, known exploit techniques.

After July 31, 2018, it will not be supported.

For more information about the individual features and mitigations available in Windows Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics:

Feature comparison

The table in this section illustrates the differences between EMET and Windows Defender Exploit Guard.

  Windows Defender Exploit Guard EMET
Windows versions Check mark yes
All versions of Windows 10 starting with version 1709
Check mark yes
Windows 8.1; Windows 8; Windows 7
Cannot be installed on Windows 10, version 1709 and later
Installation requirements Windows Security in Windows 10
(no additional installation required)
Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment.
Available only as an additional download and must be installed onto a management device
User interface Modern interface integrated with the Windows Security app Older, complex interface that requires considerable ramp-up training
Supportability Check mark yes
Dedicated submission-based support channel[1]
Part of the Windows 10 support lifecycle
Check mark no
Ends after July 31, 2018
Updates Check mark yes
Ongoing updates and development of new features, released twice yearly as part of the Windows 10 semi-annual update channel
Check mark no
No planned updates or development
Exploit protection Check mark yes
All EMET mitigations plus new, specific mitigations (see table)
Can convert and import existing EMET configurations
Check mark yes
Limited set of mitigations
Attack surface reduction[2] Check mark yes
Helps block known infection vectors
Can configure individual rules
Check mark yes
Limited ruleset configuration only for modules (no processes)
Network protection[2] Check mark yes
Helps block malicious network connections
Check mark no
Not available
Controlled folder access[2] Check mark yes
Helps protect important folders
Configurable for apps and folders
Check mark no
Not available
Configuration with GUI (user interface) Check mark yes
Use Windows Security app to customize and manage configurations
Check mark yes
Requires installation and use of EMET tool
Configuration with Group Policy Check mark yes
Use Group Policy to deploy and manage configurations
Check mark yes
Available
Configuration with shell tools Check mark yes
Use PowerShell to customize and manage configurations
Check mark yes
Requires use of EMET tool (EMET_CONF)
System Center Configuration Manager Check mark yes
Use Configuration Manager to customize, deploy, and manage configurations
Check mark no
Not available
Microsoft Intune Check mark yes
Use Intune to customize, deploy, and manage configurations
Check mark no
Not available
Reporting Check mark yes
With Windows event logs and full audit mode reporting
Full integration with Windows Defender Advanced Threat Protection
Check mark yes
Limited Windows event log monitoring
Audit mode Check mark yes
Full audit mode with Windows event reporting
Check mark no
Limited to EAF, EAF+, and anti-ROP mitigations

(1) Requires an enterprise subscription with Azure Active Directory or a Software Assurance ID.

(2) Additional requirements may apply (such as use of Windows Defender Antivirus). See Windows Defender Exploit Guard requirements for more details. Customizable mitigation options that are configured with exploit protection do not require Windows Defender Antivirus.

Mitigation comparison

The mitigations available in EMET are included in Windows Defender Exploit Guard, under the exploit protection feature.

The table in this section indicates the availability and support of native mitigations between EMET and exploit protection.

Mitigation Available in Windows Defender Exploit Guard Available in EMET
Arbitrary code guard (ACG) Check mark yes Check mark yes
As "Memory Protection Check"
Block remote images Check mark yes Check mark yes
As "Load Library Check"
Block untrusted fonts Check mark yes Check mark yes
Data Execution Prevention (DEP) Check mark yes Check mark yes
Export address filtering (EAF) Check mark yes Check mark yes
Force randomization for images (Mandatory ASLR) Check mark yes Check mark yes
NullPage Security Mitigation Check mark yes
Included natively in Windows 10
See Mitigate threats by using Windows 10 security features for more information
Check mark yes
Randomize memory allocations (Bottom-Up ASLR) Check mark yes Check mark yes
Simulate execution (SimExec) Check mark yes Check mark yes
Validate API invocation (CallerCheck) Check mark yes Check mark yes
Validate exception chains (SEHOP) Check mark yes Check mark yes
Validate stack integrity (StackPivot) Check mark yes Check mark yes
Certificate trust (configurable certificate pinning) Windows 10 provides enterprise certificate pinning Check mark yes
Heap spray allocation Ineffective against newer browser-based exploits; newer mitigations provide better protection
See Mitigate threats by using Windows 10 security features for more information
Check mark yes
Block low integrity images Check mark yes Check mark no
Code integrity guard Check mark yes Check mark no
Disable extension points Check mark yes Check mark no
Disable Win32k system calls Check mark yes Check mark no
Do not allow child processes Check mark yes Check mark no
Import address filtering (IAF) Check mark yes Check mark no
Validate handle usage Check mark yes Check mark no
Validate heap integrity Check mark yes Check mark no
Validate image dependency integrity Check mark yes Check mark no

Note

The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender Exploit Guard as part of enabling the anti-ROP mitigations for a process.

See the Mitigation threats by using Windows 10 security features for more information on how Windows 10 employs existing EMET technology.