Protect devices from exploits with Windows Defender Exploit Guard

Applies to:

  • Windows 10, version 1709

Audience

  • Enterprise security administrators

Manageability available with

  • Windows Defender Security Center app
  • Group Policy
  • PowerShell

Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.

It is part of Windows Defender Exploit Guard.

Tip

You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the feature is working and see how it works.

Exploit protection works best with Windows Defender Advanced Threat Protection - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual alert investigation scenarios.

You configure these settings using the Windows Defender Security Center app or PowerShell on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once.

When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.

You can also use audit mode to evaluate how Exploit protection would impact your organization if it were enabled.

Many of the features in the Enhanced Mitigation Experience Toolkit (EMET) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See the Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard topic for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to Exploit protection on Windows 10.

Important

If you are currently using EMET you should be aware that EMET will reach end of life on July 31, 2018. You should consider replacing EMET with Exploit protection in Windows 10. You can convert an existing EMET configuration file into Exploit protection to make the migration easier and keep your existing settings.

Warning

Some security mitigation technologies may have compatibility issues with some applications. You should test Exploit protection in all target use scenarios by using audit mode before deploying the configuration across a production environment or the rest of your network.

Requirements

The following requirements must be met before Exploit protection will work:

Windows 10 version Windows Defender Advanced Threat Protection
Insider Preview build 16232 or later (dated July 1, 2017 or later) For full reporting you need a license for Windows Defender ATP

Review Exploit protection events in Windows Event Viewer

You can review the Windows event log to see events that are created when Exploit protection blocks (or audits) an app:

  1. Download the Exploit Guard Evaluation Package and extract the file ep-events.xml to an easily accessible location on the machine.

  2. Type Event viewer in the Start menu to open the Windows Event Viewer.

  3. On the left panel, under Actions, click Import custom view...

    Antimated GIF highlighting the import custom view button on the right pane

  4. Navigate to where you extracted ep-events.xml and select it. Alternatively, copy the XML directly.

  5. Click OK.

  6. This will create a custom view that filters to only show the following events related to Exploit protection:

Provider/source Event ID Description
Security-Mitigations 1 ACG audit
Security-Mitigations 2 ACG enforce
Security-Mitigations 3 Do not allow child processes audit
Security-Mitigations 4 Do not allow child processes block
Security-Mitigations 5 Block low integrity images audit
Security-Mitigations 6 Block low integrity images block
Security-Mitigations 7 Block remote images audit
Security-Mitigations 8 Block remote images block
Security-Mitigations 9 Disable win32k system calls audit
Security-Mitigations 10 Disable win32k system calls block
Security-Mitigations 11 Code integrity guard audit
Security-Mitigations 12 Code integrity guard block
Security-Mitigations 13 EAF audit
Security-Mitigations 14 EAF enforce
Security-Mitigations 15 EAF+ audit
Security-Mitigations 16 EAF+ enforce
Security-Mitigations 17 IAF audit
Security-Mitigations 18 IAF enforce
Security-Mitigations 19 ROP StackPivot audit
Security-Mitigations 20 ROP StackPivot enforce
Security-Mitigations 21 ROP CallerCheck audit
Security-Mitigations 22 ROP CallerCheck enforce
Security-Mitigations 23 ROP SimExec audit
Security-Mitigations 24 ROP SimExec enforce
WER-Diagnostics 5 CFG Block
Win32K 260 Untrusted Font

In this section

Topic Description
Comparison with Enhanced Mitigation Experience Toolkit Many of the features in the EMET are now included in Exploit protection. This topic identifies those features and explains how the features have changed or evolved.
Evaluate Exploit protection Undertake a demo scenario to see how Exploit protection mitigations can protect your network from malicious and suspicious behavior.
Enable Exploit protection Use Group Policy or PowerShell to enable and manage Exploit protection in your network.
Customize and configure Exploit protection Configure mitigations for the operating system and for individual apps.
Import, export, and deploy Exploit protection configurations Export, import, and deploy the settings across your organization. You can also convert an existing EMET configuration profile and import it into Exploit protection.