Protect devices from exploits

Important

Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender Advanced Threat Protection. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.

Applies to:

Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server, version 1803.

Tip

You can visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the feature is working and see how it works.

Exploit protection works best with Defender for Endpoint - which gives you detailed reporting into exploit protection events and blocks as part of the usual alert investigation scenarios.

You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices at once.

When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.

You can also use audit mode to evaluate how exploit protection would impact your organization if it were enabled.

Many of the features in the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. In fact, you can convert and import existing your EMET configuration profiles into exploit protection. To learn more, see Import, export, and deploy exploit protection configurations.

Important

If you are currently using EMET you should be aware that EMET reached end of support on July 31, 2018. Consider replacing EMET with exploit protection in Windows 10.

Warning

Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using audit mode before deploying the configuration across a production environment or the rest of your network.

Review exploit protection events in the Microsoft Security Center

Defender for Endpoint provides detailed reporting into events and blocks as part of its alert investigation scenarios.

You can query Defender for Endpoint data by using Advanced hunting. If you're using audit mode, you can use advanced hunting to see how exploit protection settings could affect your environment.

Here is an example query:

DeviceEvents
| where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection'

Review exploit protection events in Windows Event Viewer

You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app:

Provider/source Event ID Description
Security-Mitigations 1 ACG audit
Security-Mitigations 2 ACG enforce
Security-Mitigations 3 Do not allow child processes audit
Security-Mitigations 4 Do not allow child processes block
Security-Mitigations 5 Block low integrity images audit
Security-Mitigations 6 Block low integrity images block
Security-Mitigations 7 Block remote images audit
Security-Mitigations 8 Block remote images block
Security-Mitigations 9 Disable win32k system calls audit
Security-Mitigations 10 Disable win32k system calls block
Security-Mitigations 11 Code integrity guard audit
Security-Mitigations 12 Code integrity guard block
Security-Mitigations 13 EAF audit
Security-Mitigations 14 EAF enforce
Security-Mitigations 15 EAF+ audit
Security-Mitigations 16 EAF+ enforce
Security-Mitigations 17 IAF audit
Security-Mitigations 18 IAF enforce
Security-Mitigations 19 ROP StackPivot audit
Security-Mitigations 20 ROP StackPivot enforce
Security-Mitigations 21 ROP CallerCheck audit
Security-Mitigations 22 ROP CallerCheck enforce
Security-Mitigations 23 ROP SimExec audit
Security-Mitigations 24 ROP SimExec enforce
WER-Diagnostics 5 CFG Block
Win32K 260 Untrusted Font

Mitigation comparison

The mitigations available in EMET are included natively in Windows 10 (starting with version 1709) and Windows Server (starting with version 1803), under Exploit protection.

The table in this section indicates the availability and support of native mitigations between EMET and exploit protection.

Mitigation Available under exploit protection Available in EMET
Arbitrary code guard (ACG) yes yes
As "Memory Protection Check"
Block remote images yes yes
As "Load Library Check"
Block untrusted fonts yes yes
Data Execution Prevention (DEP) yes yes
Export address filtering (EAF) yes yes
Force randomization for images (Mandatory ASLR) yes yes
NullPage Security Mitigation yes
Included natively in Windows 10
See Mitigate threats by using Windows 10 security features for more information
yes
Randomize memory allocations (Bottom-Up ASLR) yes yes
Simulate execution (SimExec) yes yes
Validate API invocation (CallerCheck) yes yes
Validate exception chains (SEHOP) yes yes
Validate stack integrity (StackPivot) yes yes
Certificate trust (configurable certificate pinning) Windows 10 provides enterprise certificate pinning yes
Heap spray allocation Ineffective against newer browser-based exploits; newer mitigations provide better protection
See Mitigate threats by using Windows 10 security features for more information
yes
Block low integrity images yes no
Code integrity guard yes no
Disable extension points yes no
Disable Win32k system calls yes no
Do not allow child processes yes no
Import address filtering (IAF) yes no
Validate handle usage yes no
Validate heap integrity yes no
Validate image dependency integrity yes no

Note

The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process. See the Mitigation threats by using Windows 10 security features for more information on how Windows 10 employs existing EMET technology.

See also