Problemen met het beperken van misbruikbeveiliging oplossenTroubleshoot exploit protection mitigations

Van toepassing op:Applies to:

Wilt u Defender voor Eindpunt ervaren?Want to experience Defender for Endpoint? Meld u aan voor een gratis proefabonnement.Sign up for a free trial.

Wanneer u een set beveiligingsbeperkende maatregelen (ook wel configuratie genoemd) maakt, kunt u merken dat het export- en importproces van de configuratie niet alle ongewenste risico's verwijdert.When you create a set of exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations.

U kunt ongewenste risico's handmatig verwijderen in Windows-beveiliging of u kunt het volgende proces gebruiken om alle risico's te verwijderen en in plaats daarvan een configuratiebestand voor basislijn te importeren.You can manually remove unwanted mitigations in Windows Security, or you can use the following process to remove all mitigations and then import a baseline configuration file instead.

  1. Verwijder alle procesbeperking met dit PowerShell-script:Remove all process mitigations with this PowerShell script:

    # Check if Admin-Privileges are available
    function Test-IsAdmin {
        ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
    }
    
    # Delete ExploitGuard ProcessMitigations for a given key in the registry. If no other settings exist under the specified key,
    # the key is deleted as well
    function Remove-ProcessMitigations([Object] $Key, [string] $Name) {
        Try {
            if ($Key.GetValue("MitigationOptions")) {
                Write-Host "Removing MitigationOptions for:      " $Name
                Remove-ItemProperty -Path $Key.PSPath -Name "MitigationOptions" -ErrorAction Stop;
            }
            if ($Key.GetValue("MitigationAuditOptions")) {
                Write-Host "Removing MitigationAuditOptions for: " $Name
                Remove-ItemProperty -Path $Key.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop;
            }
    
            # Remove the FilterFullPath value if there is nothing else
            if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 1) -and ($Key.GetValue("FilterFullPath"))) {
                Remove-ItemProperty -Path $Key.PSPath -Name "FilterFullPath" -ErrorAction Stop;
            }
    
            # If the key is empty now, delete it
            if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 0)) {
                Write-Host "Removing empty Entry:                " $Name
                Remove-Item -Path $Key.PSPath -ErrorAction Stop
            }
        }
        Catch {
            Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)"
        }
    }
    
    # Delete all ExploitGuard ProcessMitigations
    function Remove-All-ProcessMitigations {
        if (!(Test-IsAdmin)) {
            throw "ERROR: No Administrator-Privileges detected!"; return
        }
    
        Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | ForEach-Object {
            $MitigationItem = $_;
            $MitigationItemName = $MitigationItem.PSChildName
    
            Try {
                Remove-ProcessMitigations $MitigationItem $MitigationItemName
    
                # "UseFilter" indicate full path filters may be present
                if ($MitigationItem.GetValue("UseFilter")) {
                    Get-ChildItem -Path $MitigationItem.PSPath | ForEach-Object {
                        $FullPathItem = $_
                        if ($FullPathItem.GetValue("FilterFullPath")) {
                            $Name = $MitigationItemName + "-" + $FullPathItem.GetValue("FilterFullPath")
                            Write-Host "Removing FullPathEntry:              " $Name
                            Remove-ProcessMitigations $FullPathItem $Name
                        }
    
                        # If there are no subkeys now, we can delete the "UseFilter" value
                        if ($MitigationItem.SubKeyCount -eq 0) {
                            Remove-ItemProperty -Path $MitigationItem.PSPath -Name "UseFilter" -ErrorAction Stop
                        }
                    }
                }
                if (($MitigationItem.SubKeyCount -eq 0) -and ($MitigationItem.ValueCount -eq 0)) {
                    Write-Host "Removing empty Entry:                " $MitigationItemName
                    Remove-Item -Path $MitigationItem.PSPath -ErrorAction Stop
                }
            }
            Catch {
                Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)"
            }
        }
    }
    
    # Delete all ExploitGuard System-wide Mitigations
    function Remove-All-SystemMitigations {
    
        if (!(Test-IsAdmin)) {
            throw "ERROR: No Administrator-Privileges detected!"; return
        }
    
        $Kernel = Get-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel"
    
        Try {
            if ($Kernel.GetValue("MitigationOptions"))
                { Write-Host "Removing System MitigationOptions"
                    Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationOptions" -ErrorAction Stop;
                }
            if ($Kernel.GetValue("MitigationAuditOptions"))
                { Write-Host "Removing System MitigationAuditOptions"
                    Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop;
                }
        } Catch {
            Write-Host "ERROR:" $_.Exception.Message "- System"
        }
    }
    
    Remove-All-ProcessMitigations
    Remove-All-SystemMitigations
    
  2. Maak en importeer een XML-configuratiebestand met de volgende standaardbeperkingswaarden, zoals beschreven in Configuraties voor exploitbeveiliging importeren, exporteren en implementeren:Create and import an XML configuration file with the following default mitigations, as described in Import, export, and deploy Exploit Protection configurations:

     <?xml version="1.0" encoding="UTF-8"?>
     <root>
        <SystemConfig/>
        <AppConfig Executable="ExtExport.exe">
           <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
        </AppConfig>
        <AppConfig Executable="ie4uinit.exe">
          <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
        </AppConfig>
        <AppConfig Executable="ieinstal.exe">
       <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
        </AppConfig>
        <AppConfig Executable="ielowutil.exe">
          <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
        </AppConfig>
       <AppConfig Executable="ieUnatt.exe">
          <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
        </AppConfig>
       <AppConfig Executable="iexplore.exe">
          <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
        </AppConfig>
       <AppConfig Executable="mscorsvw.exe">
           <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/>
        </AppConfig>
        <AppConfig Executable="msfeedssync.exe">
           <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
        </AppConfig>
        <AppConfig Executable="mshta.exe">
           <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
        </AppConfig>
        <AppConfig Executable="ngen.exe">
           <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/>
        </AppConfig>
        <AppConfig Executable="ngentask.exe">
           <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/>
        </AppConfig>
        <AppConfig Executable="PresentationHost.exe">
           <DEP Enable="true" OverrideDEP="false" EmulateAtlThunks="false"/>
           <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true" OverrideBottomUp="false" HighEntropy="true" BottomUp="true"/>
           <SEHOP Enable="true" OverrideSEHOP="false" TelemetryOnly="false"/>
           <Heap OverrideHeap="false" TerminateOnError="true"/>
        </AppConfig>
        <AppConfig Executable="PrintDialog.exe">
           <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/>
        </AppConfig>
        <AppConfig Executable="PrintIsolationHost.exe"/>
        <AppConfig Executable="runtimebroker.exe">
           <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/>
        </AppConfig>
            <AppConfig Executable="splwow64.exe"/>
        <AppConfig Executable="spoolsv.exe"/>
        <AppConfig Executable="svchost.exe"/>
        <AppConfig Executable="SystemSettings.exe">
           <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/>
        </AppConfig>
    </root>
    

Als u dat nog niet hebt gedaan, is het een goed idee om de basislijnen te downloaden en Windows-beveiliging gebruiken om de beveiligingsaanpassing van Exploit te voltooien.If you haven’t already, it's a good idea to download and use the Windows Security Baselines to complete your Exploit protection customization.