在 Microsoft Defender for Endpoint 中測試攻擊面減少Test attack surface reduction in Microsoft Defender for Endpoint

適用於:Applies to:

在組織的安全性小組中,您可以設定攻擊面減少功能,以在稽核模式中執行,以查看他們的運作方式。As part of your organization's security team, you can configure attack surface reduction capabilities to run in audit mode to see how they'll work. 在 [稽核模式] 中,您可以啟用:In audit mode, you can enable:

  • 受攻擊面縮小規則Attack surface reduction rules
  • 入侵防護Exploit protection
  • 網路保護Network protection
  • 和受管理的資料夾存取稽核模式And controlled folder access in audit mode

「稽核模式」可讓您查看已啟用該功能時, 發生什麼事的記錄。Audit mode lets you see a record of what would have happened if you had enabled the feature.

您可以在測試功能的運作方式時啟用稽核模式。You can enable audit mode when testing how the features will work. 這會協助確保您的企業營運應用程式不會受到影響。This will help make sure your line-of-business apps aren't affected. 您也可以瞭解在一段時間內,有多少可疑的檔修改嘗試次數。You can also get an idea of how many suspicious file modification attempts occur over a certain period of time.

功能不會封鎖或防止應用程式、腳本或檔案被修改。The features won't block or prevent apps, scripts, or files from being modified. 不過,Windows 事件記錄會將事件記錄為已完全啟用的功能。However, the Windows Event Log will record events as if the features were fully enabled. 透過「審計模式」,您可以查看事件記錄檔,以查看該功能在啟用後會有什麼影響。With audit mode, you can review the event log to see what affect the feature would have had if it was enabled.

若要尋找已審核的專案,請移至 應用程式和服務 > Microsoft > Windows > Windows Defender > 運作To find the audited entries, go to Applications and Services > Microsoft > Windows > Windows Defender > Operational.

使用 Defender for Endpoint 取得每個事件的詳細資料,尤其是用於調查攻擊面降低規則。Use Defender for Endpoint to get greater details for each event, especially for investigating attack surface reduction rules. 使用 Defender for Endpoint 主控台,可在 警示時程表和調查案例中調查問題Using the Defender for Endpoint console lets you investigate issues as part of the alert timeline and investigation scenarios.

您可以使用「群組原則」、「PowerShell」和「設定服務提供者」 (Csp) 來啟用稽核模式。You can enable audit mode using Group Policy, PowerShell, and configuration service providers (CSPs).

提示

您也可以在demo.wd.microsoft.com流覽 Windows Defender 的 Testground 網站,確認功能是否正常運作,並查看其運作方式。You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the features are working and see how they work.

審核選項Audit options 如何啟用稽核模式How to enable audit mode 如何查看事件How to view events
審核適用于所有事件Audit applies to all events 啟用受控資料夾存取權Enable controlled folder access 受控資料夾存取事件Controlled folder access events
審核適用于個別規則Audit applies to individual rules 啟用受攻擊面縮小規則Enable attack surface reduction rules 攻擊面減少規則事件Attack surface reduction rule events
審核適用于所有事件Audit applies to all events 啟用網路保護Enable network protection 網路保護事件Network protection events
審核適用于個別的緩解Audit applies to individual mitigations 啟用入侵防護Enable exploit protection Exploit protection 事件Exploit protection events