评估攻击面减少规则Evaluate attack surface reduction rules

重要

改进的 Microsoft 365 安全 中心现已提供公共预览版。The improved Microsoft 365 security center is now available in public preview. 这一全新体验将 Defender for Endpoint、Defender for Office 365、Microsoft 365 Defender 等引入 Microsoft 365 安全中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新增功能Learn what's new. 本主题可能同时适用于 Microsoft Defender for Endpoint 和 Microsoft 365 Defender。This topic might apply to both Microsoft Defender for Endpoint and Microsoft 365 Defender. 请参阅 "适用于"部分 ,并查找本文中可能存在差异的特定调用。Refer to the Applies To section and look for specific call outs in this article where there might be differences.

适用于:Applies to:

攻击面减少规则有助于防止恶意软件通常用来损害设备或网络的操作。Attack surface reduction rules help prevent actions typically used by malware to compromise devices or networks. 为运行以下任一版本的 Windows 的设备设置攻击面减少规则:Set attack surface reduction rules for devices running any of the following editions and versions of Windows:

了解如何通过启用审核模式来直接在组织中测试功能来评估攻击面减少规则。Learn how to evaluate attack surface reduction rules by enabling audit mode to test the feature directly in your organization.

提示

还可以访问 Microsoft Defender for Endpoint 演示方案网站,demo.wd.microsoft.com确认功能是否正常工作,并查看其工作方式。You can also visit the Microsoft Defender for Endpoint demo scenario website at demo.wd.microsoft.com to confirm the feature is working and see how it works.

使用审核模式衡量影响Use audit mode to measure impact

在审核模式下启用攻击面减少规则,以查看在功能完全启用时可能阻止的应用记录。Enable attack surface reduction rules in audit mode to view a record of apps that would have been blocked if the feature was fully enabled. 测试功能在组织中如何工作,以确保它不会影响业务线应用。Test how the feature will work in your organization to ensure it doesn't affect your line-of-business apps. 您还可以了解规则在正常使用期间将执行多久一次。You can also get an idea of how often the rules will fire during normal use.

若要在审核模式下启用攻击面减少规则,请使用以下 PowerShell cmdlet:To enable an attack surface reduction rule in audit mode, use the following PowerShell cmdlet:

Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions AuditMode

其中 <rule ID> 是攻击 面减少规则的 GUID 值Where <rule ID> is a GUID value of the attack surface reduction rule.

若要在审核模式下启用所有添加的攻击面减少规则,请使用以下 PowerShell cmdlet:To enable all the added attack surface reduction rules in audit mode, use the following PowerShell cmdlet:

(Get-MpPreference).AttackSurfaceReductionRules_Ids | Foreach {Add-MpPreference -AttackSurfaceReductionRules_Ids $_ -AttackSurfaceReductionRules_Actions AuditMode}

提示

如果你想要完全审核攻击面减少规则在组织中如何工作,你将需要使用管理工具将此设置部署到网络 (设备) 。If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to devices in your network(s).

您还可以使用组策略、Intune 或移动设备管理 (MDM) 配置服务提供程序 () 和部署设置。You can also use Group Policy, Intune, or mobile device management (MDM) configuration service providers (CSPs) to configure and deploy the setting. 在主要攻击面减少规则 文章中了解更多信息Learn more in the main Attack surface reduction rules article.

查看 Windows 事件查看器中的攻击面减少事件Review attack surface reduction events in Windows Event Viewer

若要查看已阻止的应用,请打开事件查看器,并筛选 Microsoft-Windows-Windows Defender/Operational 日志中的事件 ID 1121。To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows Defender/Operational log. 下表列出了所有网络保护事件。The following table lists all network protection events.

事件 IDEvent ID 描述Description
50075007 更改设置时的事件Event when settings are changed
11211121 攻击面减少规则在阻止模式下触发时的事件Event when an attack surface reduction rule fires in block mode
11221122 在审核模式下触发攻击面减少规则时的事件Event when an attack surface reduction rule fires in audit mode

自定义攻击面减少规则Customize attack surface reduction rules

在评估过程中,你可能希望单独配置每个规则,或将某些文件和进程排除在功能评估外。During your evaluation, you may wish to configure each rule individually or exclude certain files and processes from being evaluated by the feature.

有关 使用管理工具( 包括组策略和 MDM CSP 策略)配置功能的信息,请参阅"自定义攻击面减少规则"。See Customize attack surface reduction rules for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.

另请参阅See also