启用攻击面减少规则Enable attack surface reduction rules

重要

改进的 Microsoft 365 安全 中心现已提供公共预览版。The improved Microsoft 365 security center is now available in public preview. 这一全新体验将 Defender for Endpoint、Defender for Office 365、Microsoft 365 Defender 等引入 Microsoft 365 安全中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新增功能Learn what's new. 本主题可能同时适用于 Microsoft Defender for Endpoint 和 Microsoft 365 Defender。This topic might apply to both Microsoft Defender for Endpoint and Microsoft 365 Defender. 请参阅 "适用于"部分 ,并查找本文中可能存在差异的特定调用。Refer to the Applies To section and look for specific call outs in this article where there might be differences.

适用于:Applies to:

想要体验 Defender for Endpoint?Want to experience Defender for Endpoint? 注册免费试用版。Sign up for a free trial.

攻击面减少规则 (ASR 规则) 有助于防止恶意软件经常滥用以破坏设备和网络的操作。Attack surface reduction rules (ASR rules) help prevent actions that malware often abuses to compromise devices and networks. 你可以为运行以下任一版本的 Windows 的设备设置 ASR 规则:You can set ASR rules for devices running any of the following editions and versions of Windows:

每个 ASR 规则都包含以下三个设置之一:Each ASR rule contains one of three settings:

  • 未配置:禁用 ASR 规则Not configured: Disable the ASR rule
  • 阻止:启用 ASR 规则Block: Enable the ASR rule
  • 审核:评估 ASR 规则在启用后对组织的影响Audit: Evaluate how the ASR rule would impact your organization if enabled

强烈建议你将 ASR 规则与 Windows E5 许可证 (或类似的许可 SKU) 一起使用,以利用适用于 Endpoint (Defender for Endpoint) 的 Microsoft Defender 中提供的高级监视和报告功能。It's highly recommended you use ASR rules with a Windows E5 license (or similar licensing SKU) to take advantage of the advanced monitoring and reporting capabilities available in Microsoft Defender for Endpoint (Defender for Endpoint). 但是,对于无法访问高级监视和报告功能的其他许可证(如 Windows Professional 或 E3),可以在触发 ASR 规则时在每个终结点生成的事件(例如事件转发 () )上开发自己的监视和报告工具。However, for other licenses like Windows Professional or E3 that don't have access to advanced monitoring and reporting capabilities, you can develop your own monitoring and reporting tools on top of the events that are generated at each endpoint when ASR rules are triggered (e.g., Event Forwarding).

提示

若要了解有关 Windows 许可的更多信息,请参阅 Windows 10 许可 并获取 适用于 Windows 10的批量许可指南。To learn more about Windows licensing, see Windows 10 Licensing and get the Volume Licensing guide for Windows 10.

可以使用以下任一方法启用攻击面减少规则:You can enable attack surface reduction rules by using any of these methods:

建议使用企业级管理,如 Intune 或 Microsoft Endpoint Manager。Enterprise-level management such as Intune or Microsoft Endpoint Manager is recommended. 启动时,企业级管理将覆盖任何冲突的组策略或 PowerShell 设置。Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup.

从 ASR 规则中排除文件和文件夹Exclude files and folders from ASR rules

你可以排除大多数攻击面减少规则评估的文件和文件夹。You can exclude files and folders from being evaluated by most attack surface reduction rules. 这意味着,即使 ASR 规则确定文件或文件夹包含恶意行为,它将不会阻止文件运行。This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. 这可能会允许不安全的文件运行并感染设备。This could potentially allow unsafe files to run and infect your devices.

您还可以通过允许指定的 Defender for Endpoint 文件和证书指示器,从基于证书和文件哈希触发的 ASR 规则中排除。You can also exclude ASR rules from triggering based on certificate and file hashes by allowing specified Defender for Endpoint file and certificate indicators. (管理 指示器.) (See Manage indicators.)

重要

排除文件或文件夹会严重降低 ASR 规则提供的保护。Excluding files or folders can severely reduce the protection provided by ASR rules. 允许运行排除的文件,并且不会记录任何报告或事件。Excluded files will be allowed to run, and no report or event will be recorded. 如果 ASR 规则正在检测你认为不应检测的文件,则应该首先使用审核模式 来测试规则If ASR rules are detecting files that you believe shouldn't be detected, you should use audit mode first to test the rule.

可以使用文件夹路径或完全限定的资源 (指定单个文件或文件夹) ,但无法指定排除项应用于的规则。You can specify individual files or folders (using folder paths or fully qualified resource names), but you can't specify which rules the exclusions apply to. 仅在排除的应用程序或服务启动时应用排除。An exclusion is applied only when the excluded application or service starts. 例如,如果为已在运行的更新服务添加排除项,则更新服务将继续触发事件,直到停止并重新启动该服务。For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.

ASR 规则支持环境变量和通配符。ASR rules support environment variables and wildcards. 有关使用通配符的信息,请参阅在文件名和文件夹路径或扩展名排除列表中 使用通配符For information about using wildcards, see Use wildcards in the file name and folder path or extension exclusion lists.

以下用于启用 ASR 规则的过程包括有关如何排除文件和文件夹的说明。The following procedures for enabling ASR rules include instructions for how to exclude files and folders.

IntuneIntune

  1. 选择设备 > 配置文件Select Device configuration > Profiles. 选择现有终结点保护配置文件或创建新的终结点保护配置文件。Choose an existing endpoint protection profile or create a new one. 若要创建新的配置文件,请选择 "创建配置文件 "并输入此配置文件的信息。To create a new one, select Create profile and enter information for this profile. 对于配置文件类型, 请选择 "终结点保护"。For Profile type, select Endpoint protection. 如果已选择现有配置文件,请选择"属性",然后选择"设置"。If you've chosen an existing profile, select Properties and then select Settings.

  2. 在终结点保护窗格中****,Windows Defender攻击防护,然后选择攻击面减少In the Endpoint protection pane, select Windows Defender Exploit Guard, then select Attack Surface Reduction. 选择每个 ASR 规则所需的设置。Select the desired setting for each ASR rule.

  3. "攻击面减少异常"下,输入单个文件和文件夹。Under Attack Surface Reduction exceptions, enter individual files and folders. 还可以 选择导入以 导入 CSV 文件,该文件包含要从 ASR 规则中排除的文件和文件夹。You can also select Import to import a CSV file that contains files and folders to exclude from ASR rules. CSV 文件的每一行的格式应如下所示:Each line in the CSV file should be formatted as follows:

    C:\folder, %ProgramFiles%\folder\file,, %ProgramFiles%\folder\file, C:\path

  4. 个配置窗格中选择"确定"。Select OK on the three configuration panes. 然后,如果要创建新的终结点保护文件,请选择"创建";如果要**** 编辑现有终结点保护文件,请选择"保存"。Then select Create if you're creating a new endpoint protection file or Save if you're editing an existing one.

MDMMDM

使用 ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules 配置服务提供程序 (CSP) 单独启用和设置每个规则的模式。Use the ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules configuration service provider (CSP) to individually enable and set the mode for each rule.

下面是使用 ASR 规则的 GUID 值进行引用的示例The following is a sample for reference, using GUID values for ASR rules.

OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules

Value: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84=2|3B576869-A4EC-4529-8536-B80A7769E899=1|D4F940AB-401B-4EfC-AADC-AD5F3C50688A=2|D3E037E1-3EB8-44C8-A917-57927947596D=1|5BEB7EFE-FD9A-4556-801D-275E5FFC04CC=0|BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550=1

在审核模式下启用、禁用或启用的值包括:The values to enable, disable, or enable in audit mode are:

  • Disable = 0Disable = 0
  • 阻止 (ASR 规则) = 1Block (enable ASR rule) = 1
  • 审核 = 2Audit = 2

使用 ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions 配置服务提供程序 (CSP) 添加排除项。Use the ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions configuration service provider (CSP) to add exclusions.

示例:Example:

OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions

Value: c:\path|e:\path|c:\Exclusions.exe

备注

请务必输入不带空格的 OMA-URI 值。Be sure to enter OMA-URI values without spaces.

Microsoft Endpoint Configuration ManagerMicrosoft Endpoint Configuration Manager

  1. 在 Microsoft Endpoint Configuration Manager 中,转到资产和合规性 > Endpoint Protection > Windows Defender攻击防护In Microsoft Endpoint Configuration Manager, go to Assets and Compliance > Endpoint Protection > Windows Defender Exploit Guard.

  2. 选择 "主页 > 创建攻击防护策略"。Select Home > Create Exploit Guard Policy.

  3. 输入名称和说明,选择攻击面减少,然后选择"下一步"。Enter a name and a description, select Attack Surface Reduction, and select Next.

  4. 选择哪些规则将阻止或审核操作,然后选择"下一步"。Choose which rules will block or audit actions and select Next.

  5. 查看设置,然后选择 "下一步 "创建策略。Review the settings and select Next to create the policy.

  6. 创建策略后 ,关闭After the policy is created, Close.

组策略Group Policy

警告

如果使用 Intune、Configuration Manager 或其他企业级管理平台管理计算机和设备,则管理软件将在启动时覆盖任何冲突的组策略设置。If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.

  1. 在组策略管理计算机上,打开“组策略管理控制台”,右键单击要配置的“组策略对象”,然后单击“编辑”。On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and select Edit.

  2. 在组策略管理编辑器中,转到 "计算机配置"并选择 "管理模板"。In the Group Policy Management Editor, go to Computer configuration and select Administrative templates.

  3. 将树展开到Windows 组件Microsoft Defender > 防病毒 > Windows Defender攻击 > 防护攻击面减少Expand the tree to Windows components > Microsoft Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction.

  4. 选择 "配置攻击面减少规则", 然后选择"已启用"。Select Configure Attack surface reduction rules and select Enabled. 然后,您可以为"选项"部分的每个规则设置单个状态。You can then set the individual state for each rule in the options section.

    选择 "显示...", 在"值名称 "列中输入 规则 ID,在"值"列中输入 所选状态, 如下所示:Select Show... and enter the rule ID in the Value name column and your chosen state in the Value column as follows:

    • Disable = 0Disable = 0
    • 阻止 (ASR 规则) = 1Block (enable ASR rule) = 1
    • 审核 = 2Audit = 2

    显示空白攻击面减少规则 ID 和值 1 的组策略设置

  5. 若要从 ASR 规则中排除文件和文件夹,**** 请选择"从攻击面减少规则"设置中排除文件和路径,并设置该选项为"已启用"。To exclude files and folders from ASR rules, select the Exclude files and paths from Attack surface reduction rules setting and set the option to Enabled. 选择 " 显示",然后输入"值名称"列中 的每个文件或 文件夹。Select Show and enter each file or folder in the Value name column. 列中为每一个项目输入 0Enter 0 in the Value column for each item.

警告

请勿使用引号,因为它们不受值名称列或Value **** 列支持。Do not use quotes as they are not supported for either the Value name column or the Value column.

PowerShellPowerShell

警告

如果使用 Intune、Configuration Manager 或其他企业级管理平台管理计算机和设备,则管理软件将在启动时覆盖任何冲突的 PowerShell 设置。If you manage your computers and devices with Intune, Configuration Manager, or another enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup. 若要允许用户使用 PowerShell 定义值,请使用管理平台中规则的"用户定义"选项。To allow users to define the value using PowerShell, use the "User Defined" option for the rule in the management platform.

  1. "开始"菜单中键入 powershell, 右键单击Windows PowerShell并选择"管理员模式运行"。Type powershell in the Start menu, right-click Windows PowerShell and select Run as administrator.

  2. 输入以下 cmdlet:Enter the following cmdlet:

    Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Enabled
    

    若要在审核模式下启用 ASR 规则,请使用以下 cmdlet:To enable ASR rules in audit mode, use the following cmdlet:

    Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions AuditMode
    

    若要关闭 ASR 规则,请使用以下 cmdlet:To turn off ASR rules, use the following cmdlet:

    Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Disabled
    

    重要

    必须单独为每个规则指定状态,但可以在逗号分隔列表中组合规则和状态。You must specify the state individually for each rule, but you can combine rules and states in a comma-separated list.

    在以下示例中,将启用前两个规则,禁用第三个规则,并在审核模式中启用第四个规则:In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode:

    Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID 1>,<rule ID 2>,<rule ID 3>,<rule ID 4> -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode
    

    您还可以使用 Add-MpPreference PowerShell 谓词将新规则添加到现有列表中。You can also use the Add-MpPreference PowerShell verb to add new rules to the existing list.

    警告

    Set-MpPreference 将始终覆盖现有的规则集。will always overwrite the existing set of rules. 如果你想要添加到现有的集,应改为使用 Add-MpPreferenceIf you want to add to the existing set, you should use Add-MpPreference instead. 可以使用 获取规则及其当前状态的列表 Get-MpPreferenceYou can obtain a list of rules and their current state by using Get-MpPreference.

  3. 若要从 ASR 规则中排除文件和文件夹,请使用以下 cmdlet:To exclude files and folders from ASR rules, use the following cmdlet:

    Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<fully qualified path or resource>"
    

    继续使用以 Add-MpPreference -AttackSurfaceReductionOnlyExclusions 向列表中添加更多文件和文件夹。Continue to use Add-MpPreference -AttackSurfaceReductionOnlyExclusions to add more files and folders to the list.

    重要

    使用 Add-MpPreference 将应用附加或添加到列表。Use Add-MpPreference to append or add apps to the list. 使用 Set-MpPreference cmdlet 将覆盖现有列表。Using the Set-MpPreference cmdlet will overwrite the existing list.

相关文章Related articles