攻击面减少规则疑难解答Troubleshoot attack surface reduction rules

适用于:Applies to:

想要体验适用于终结点的 Defender?Want to experience Defender for Endpoint? 注册免费试用版。Sign up for a free trial.

当你使用 攻击面减少规则时 ,你可能会遇到问题,例如:When you use attack surface reduction rules you may run into issues, such as:

  • 规则阻止文件、进程或执行其他一些不应 (误报) A rule blocks a file, process, or performs some other action that it shouldn't (false positive)

  • 规则不能如前文所述工作,也不阻止文件或进程 (漏报) A rule doesn't work as described, or doesn't block a file or process that it should (false negative)

解决这些问题有四个步骤:There are four steps to troubleshooting these problems:

  1. 确认先决条件Confirm prerequisites

  2. 使用审核模式测试规则Use audit mode to test the rule

  3. 为指定的误报规则添加 ( 排除项) Add exclusions for the specified rule (for false positives)

  4. 提交支持日志Submit support logs

确认先决条件Confirm prerequisites

攻击面减少规则仅适用于具有以下条件的设备:Attack surface reduction rules will only work on devices with the following conditions:

如果满足所有先决条件,请继续执行下一步以在审核模式下测试规则。If these prerequisites have all been met, proceed to the next step to test the rule in audit mode.

使用审核模式测试规则Use audit mode to test the rule

你可以访问 demo.wd.microsoft.com 上的 Windows Defender 测试场网站,以确认攻击面减少规则通常适用于设备上预配置的方案和流程,或者可以使用审核模式(启用仅报告规则)。You can visit the Windows Defender Test ground website at demo.wd.microsoft.com to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only.

按照使用演示 工具中的以下 说明查看攻击面减少规则如何工作,以测试遇到问题的特定规则。Follow these instructions in Use the demo tool to see how attack surface reduction rules work to test the specific rule you're encountering problems with.

  1. 为要测试的特定规则启用审核模式。Enable audit mode for the specific rule you want to test. 使用组策略将规则设置为审核模式 (值 :2) 启用 攻击面减少规则中所述Use Group Policy to set the rule to Audit mode (value: 2) as described in Enable attack surface reduction rules. 审核模式允许规则报告文件或进程,但仍允许它运行。Audit mode allows the rule to report the file or process, but will still allow it to run.

  2. 执行导致问题的活动 (例如,打开或执行应阻止但允许阻止的文件或) 。Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed).

  3. 查看攻击面减少规则事件 日志,以查看如果规则已设置为"已启用",该规则是否阻止文件或 进程Review the attack surface reduction rule event logs to see if the rule would have blocked the file or process if the rule had been set to Enabled.

如果某个规则未阻止预期应阻止的文件或进程,则首先检查审核模式是否已启用。If a rule isn't blocking a file or process that you're expecting it should block, first check if audit mode is enabled.

审核模式可能已启用以测试其他功能,或者由自动 PowerShell 脚本启用,并且可能在测试完成后未禁用。Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed.

如果你已使用演示工具和审核模式测试了规则,并且攻击面减少规则正在预配置的方案中运行,但规则未按预期工作,请根据你的情况继续执行以下任一部分:If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule isn't working as expected, proceed to either of the following sections based on your situation:

  1. 如果攻击面减少规则阻止了不应阻止的攻击 (也称为误报) ,你可以首先添加攻击面减少规则排除 。If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can first add an attack surface reduction rule exclusion.

  2. 如果攻击面减少规则不会阻止应阻止 (也称为漏报) ,你可以立即继续执行最后一步,收集诊断数据,将问题提交给 我们If the attack surface reduction rule isn't blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, collecting diagnostic data and submitting the issue to us.

添加误报的排除项Add exclusions for a false positive

如果攻击面减少规则阻止不应阻止的内容 (也称为误报) ,你可以添加排除项以防止攻击面减少规则评估排除的文件或文件夹。If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders.

若要添加排除项,请参阅 自定义攻击面减少To add an exclusion, see Customize Attack surface reduction.

重要

可以指定要排除的单个文件和文件夹,但不能指定单个规则。You can specify individual files and folders to be excluded, but you cannot specify individual rules. 这意味着排除的任何文件或文件夹都将从所有 ASR 规则中排除。This means any files or folders that are excluded will be excluded from all ASR rules.

报告误报或漏报Report a false positive or false negative

使用Windows Defender 安全智能基于 Web 的提交表单报告网络保护的漏报或误报。Use the Windows Defender Security Intelligence web-based submission form to report a false negative or false positive for network protection. 使用 Windows E5 订阅,还可以 提供指向任何关联警报的链接With a Windows E5 subscription, you can also provide a link to any associated alert.

收集文件提交的诊断数据Collect diagnostic data for file submissions

当你报告攻击面减少规则问题时,会要求你收集和提交诊断数据,Microsoft 支持和工程团队可以使用这些数据来帮助解决问题。When you report a problem with attack surface reduction rules, you're asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.

  1. 打开提升的命令提示符并更改为Windows Defender目录:Open an elevated command prompt and change to the Windows Defender directory:

    cd "c:\program files\windows defender"
    
  2. 运行此命令以生成诊断日志:Run this command to generate the diagnostic logs:

    mpcmdrun -getfiles
    
  3. 默认情况下,它们保存到 C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cabBy default, they're saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. 将文件附加到提交表单。Attach the file to the submission form.