啟用入侵防護Enable exploit protection

適用於:Applies to:

提示

想要體驗 Defender for Endpoint?Want to experience Defender for Endpoint? 注册免費試用版。Sign up for a free trial.

Exploit protection 可協助防範惡意程式碼,以利用利用方式感染裝置和傳播。Exploit protection helps protect against malware that uses exploits to infect devices and spread. Exploit protection 包含許多可用於作業系統或個別應用程式的緩解措施。Exploit protection consists of many mitigations that can be applied to either the operating system or individual apps.

重要

.NET 2.0 與某些 exploit protection 功能不相容,特別是匯出位址篩選 (EAF) 和匯入位址篩選 (IAF) 。.NET 2.0 is not compatible with some exploit protection capabilities, specifically, Export Address Filtering (EAF) and Import Address Filtering (IAF). 如果您已啟用 .NET 2.0,EAF 和 IAF 的使用不受支援。If you have enabled .NET 2.0, usage of EAF and IAF are not supported.

「增強型緩解經驗」工具組 (EMET) 中的許多功能都包含在 exploit protection 中。Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.

您可以使用下列任何一種方法,分別啟用每個緩解:You can enable each mitigation separately by using any of these methods:

在 Windows 10 中,預設會設定 Exploit protection。Exploit protection is configured by default in Windows 10. 您可以將每個緩解措施設定為 [開啟]、[關閉] 或 [其預設值]。You can set each mitigation to on, off, or to its default value. 有些遷移具有更多選項。Some mitigations have more options. 您可以將 這些設定匯出為 XML 檔案,然後將其部署至其他裝置。You can export these settings as an XML file and deploy them to other devices.

您也可以將 [緩解] 設定為 [稽核模式]You can also set mitigations to audit mode. 稽核模式可讓您測試緩解的運作方式 (和審查事件) 不會影響裝置的正常使用。Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the device.

Windows 安全性應用程式Windows Security app

  1. 在您的工作工具列中選取盾牌圖示,或搜尋 [安全性] 的 [開始] 功能表,開啟 Windows 安全性應用程式。Open the Windows Security app by either selecting the shield icon in your task bar, or by searching the Start menu for Security.

  2. 在左功能表列上,選取 [ 應用程式] & 瀏覽器控制項 磚 (或 app 圖示) 然後選取 [ Exploit protection 設定]。Select the App & browser control tile (or the app icon on the left menu bar) and then select Exploit protection settings.

  3. 移至 [ 程式設定 ],然後選擇您要套用緩解的應用程式。Go to Program settings and choose the app you want to apply mitigations to.

    • 如果您想要設定的應用程式已經列出,請選取它,然後選取 [ 編輯]。If the app you want to configure is already listed, select it, and then select Edit.
    • 若未列出該應用程式,請在清單頂端選取 [ 新增程式] 以自訂 ,然後選擇您想要新增應用程式的方式。If the app is not listed, at the top of the list select Add program to customize and then choose how you want to add the app.
    • 使用 [ 依程式名稱新增 ],可對任何執行的程式套用具有該名稱的緩解。Use Add by program name to have the mitigation applied to any running process with that name. 指定副檔名為的檔案。Specify a file with its extension. 您可以輸入完整的路徑,以限制僅限此位置的應用程式的緩解。You can enter a full path to limit the mitigation to only the app with that name in that location.
    • 使用 [選擇確切 的檔案路徑],使用標準的 Windows Explorer 檔案選擇器] 視窗來尋找並選取您想要的檔。Use Choose exact file path to use a standard Windows Explorer file picker window to find and select the file you want.
  4. 選取應用程式之後,您會看到可套用的所有緩解措施清單。After selecting the app, you'll see a list of all the mitigations that can be applied. 選擇 [ 審計 ] 只會在審計模式中套用緩解。Choosing Audit will apply the mitigation in audit mode only. 如果您需要重新開機此程式或應用程式,或需要重新開機 Windows,您會收到通知。You are notified if you need to restart the process or app, or if you need to restart Windows.

  5. 針對您要設定的所有應用程式和緩解措施,重複步驟3-4。Repeat steps 3-4 for all the apps and mitigations you want to configure.

  6. 在 [ 系統設定 ] 區段下,找出您要設定的緩解措施,然後指定下列其中一項設定。Under the System settings section, find the mitigation you want to configure and then specify one of the following settings. 未在 [ 程式設定 ] 區段中個別設定的應用程式會使用這裡設定的設定。Apps that aren't configured individually in the Program settings section use the settings that are configured here.

    • 根據預設,在[應用程式專用 程式設定] 區段中,針對未採用此緩解設定的應用程式 啟用 緩解功能。On by default: The mitigation is enabled for apps that don't have this mitigation set in the app-specific Program settings section
    • 依預設關閉:在應用程式特定的 程式設定 區段中,對於未具有此緩解設定的應用程式 停用 此緩解功能Off by default: The mitigation is disabled for apps that don't have this mitigation set in the app-specific Program settings section
    • 使用預設值:緩解已啟用或已停用,視 Windows 10 安裝所設定的預設設定而定;預設值 (開啟或 關閉) 會永遠 每個緩解的 使用預設 標籤旁指定Use default: The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (On or Off) is always specified next to the Use default label for each mitigation
  7. 針對您要設定的所有系統層級緩解重複步驟6。Repeat step 6 for all the system-level mitigations you want to configure. 當您設定好 設定後, 請選取 [套用]。Select Apply when you're done setting up your configuration.

如果您將應用程式新增至 [ 程式設定 ] 區段中,並在其中設定個別的緩解設定,則會在 [ 系統設定 ] 區段中所指定的相同緩解措施的設定之上進行設定。If you add an app to the Program settings section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the System settings section. 下列矩陣和範例可協助說明預設值的運作方式:The following matrix and examples help to illustrate how defaults work:

啟用于 程式設定Enabled in Program settings 在 [系統設定] 中啟用Enabled in System settings 行為Behavior
Yes No 程式設定 中所定義As defined in Program settings
Yes Yes 程式設定 中所定義As defined in Program settings
No Yes 系統設定 中所定義As defined in System settings
No Yes 使用預設 選項中定義的預設值Default as defined in Use default option

範例1: Mikael 設定系統設定區段中的資料執行防護預設為關閉Example 1: Mikael configures Data Execution Prevention in system settings section to be off by default

Mikael 會將應用程式 test.exe 新增至 [ 程式設定 ] 區段。Mikael adds the app test.exe to the Program settings section. 在該應用程式的選項中,在 [ 資料執行防護 (DEP)] 底下,Mikael 啟用 [覆 寫系統設定 ] 選項,並將開關設定為 [ 開啟]。In the options for that app, under Data Execution Prevention (DEP), Mikael enables the Override system settings option and sets the switch to On. [ 程式設定 ] 區段中沒有列出任何其他應用程式。There are no other apps listed in the Program settings section.

結果是只會為 test.exe 啟用 DEP。The result is that DEP is enabled only for test.exe. 所有其他應用程式都不會套用 DEP。All other apps will not have DEP applied.

範例2: Josie 將系統設定中的資料執行防護設定為預設關閉Example 2: Josie configures Data Execution Prevention in system settings to be off by default

Josie 會將應用程式 test.exe 新增至 [ 程式設定 ] 區段。Josie adds the app test.exe to the Program settings section. 在該應用程式的選項中,在 [ 資料執行防護 (DEP)] 底下,Josie 啟用 [覆 寫系統設定 ] 選項,並將開關設定為 [ 開啟]。In the options for that app, under Data Execution Prevention (DEP), Josie enables the Override system settings option and sets the switch to On.

Josie 也會將應用程式 miles.exe 新增至 [ 程式設定 ] 區段,並將 控制流程防護 (CFG) 設定為 [ 開啟]。Josie also adds the app miles.exe to the Program settings section and configures Control flow guard (CFG) to On. Josie 不會為此應用程式啟用 DEP 或任何其他緩解的覆 寫系統設定 選項。Josie doesn't enable the Override system settings option for DEP or any other mitigations for that app.

結果是已為 test.exe 啟用 DEP。The result is that DEP is enabled for test.exe. 任何其他應用程式(包括 miles.exe)都不會啟用 DEP。DEP will not be enabled for any other app, including miles.exe. 將為 miles.exe 啟用 CFG。CFG will be enabled for miles.exe.

  1. 選取工作列中的盾牌圖示,或搜尋 Defender 的 [開始] 功能表,以開啟 Windows 安全性應用程式。Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for Defender.

  2. 在左功能表列上選取 [ app & browser control (或 app 圖示) 然後選取 [利用方式 保護]。Select the App & browser control tile (or the app icon on the left menu bar) and then select Exploit protection.

  3. 移至 [ 程式設定 ],然後選擇您要套用緩解的應用程式。Go to Program settings and choose the app you want to apply mitigations to.

    • 如果您想要設定的應用程式已經列出,請選取它,然後選取 [ 編輯]。If the app you want to configure is already listed, select it, and then select Edit.
    • 若未列出該應用程式,請在清單頂端選取 [ 新增程式] 以自訂 ,然後選擇您想要新增應用程式的方式。If the app is not listed, at the top of the list select Add program to customize and then choose how you want to add the app.
    • 使用 [ 依程式名稱新增 ],可對任何執行的程式套用具有該名稱的緩解。Use Add by program name to have the mitigation applied to any running process with that name. 指定副檔名為的檔案。Specify a file with an extension. 您可以輸入完整的路徑,以限制僅限此位置的應用程式的緩解。You can enter a full path to limit the mitigation to only the app with that name in that location.
    • 使用 [選擇確切 的檔案路徑],使用標準的 Windows Explorer 檔案選擇器] 視窗來尋找並選取您想要的檔。Use Choose exact file path to use a standard Windows Explorer file picker window to find and select the file you want.
  4. 選取應用程式之後,您會看到可套用的所有緩解措施清單。After selecting the app, you'll see a list of all the mitigations that can be applied. 選擇 [ 審計 ] 只會在審計模式中套用緩解。Choosing Audit will apply the mitigation in audit mode only. 如果您需要重新開機此程式或應用程式,或需要重新開機 Windows,您將會收到通知。You will be notified if you need to restart the process or app, or if you need to restart Windows.

  5. 針對您要設定的所有應用程式和緩解措施,重複步驟3-4。Repeat steps 3-4 for all the apps and mitigations you want to configure. 當您設定好 設定後, 請選取 [套用]。Select Apply when you're done setting up your configuration.

IntuneIntune

  1. 登入 Azure 入口網站 並開啟 Intune。Sign in to the Azure portal and open Intune.

  2. 移至 裝置配置 > > 建立設定檔Go to Device configuration > Profiles > Create profile.

  3. 命名設定檔,選擇 [ Windows 10 和更新版本] 和 [ Endpoint protection]。Name the profile, choose Windows 10 and later and Endpoint protection.

    建立 endpoint protection 設定檔

  4. 選取 [設定 > Windows Defender 利用防護 > exploit protection]。Select Configure > Windows Defender Exploit Guard > Exploit protection.

  5. 使用 exploit protection 設定 Upload XML檔案:Upload an XML file with the exploit protection settings:

    在 Intune 中啟用網路保護

  6. 選取 [確定] 以儲存每個開啟的刀片式伺服器,然後選擇 [ 建立]。Select OK to save each open blade, and then choose Create.

  7. 選取 [設定檔 指派 ] 索引標籤,將原則指派給 所有使用者 & 所有裝置,然後選取 [ 儲存]。Select the profile Assignments tab, assign the policy to All Users & All Devices, and then select Save.

MdmMDM

使用 /Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings configuration service PROVIDER (CSP) 來啟用或停用 exploit protection 緩解或使用稽核模式。Use the ./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings configuration service provider (CSP) to enable or disable exploit protection mitigations or to use audit mode.

Microsoft 端點管理員Microsoft Endpoint Manager

  1. 在 Microsoft 端點管理員中,請移至 端點的安全性 > 攻擊面降減In Microsoft Endpoint Manager, go to Endpoint Security > Attack surface reduction.

  2. 選取 [建立原則 > 平臺],並針對 [設定檔] 選擇 [利用保護]。Select Create Policy > Platform, and for Profile, choose Exploit Protection. 然後選取 [ 建立]。Then select Create.

  3. 指定名稱和描述,然後選擇 [下一步]Specify a name and a description, and then choose Next.

  4. 選擇 [ 選取 XML 檔 ],然後流覽至 EXPLOIT protection XML 檔案的位置。Choose Select XML File and browse to the location of the exploit protection XML file. 選取檔,然後選擇 [下一步]Select the file, and then choose Next.

  5. 必要時設定 範圍標記工作分派Configure Scope tags and Assignments if necessary.

  6. 在 [ 複查 + 建立] 下,複查您的設定,然後選擇 [ 建立]。Under Review + create, review your configuration settings, and then choose Create.

Microsoft Endpoint Configuration ManagerMicrosoft Endpoint Configuration Manager

  1. 在 Microsoft Endpoint Configuration Manager 中,移至 資產及規範 > Endpoint Protection > Windows Defender Exploit GuardIn Microsoft Endpoint Configuration Manager, go to Assets and Compliance > Endpoint Protection > Windows Defender Exploit Guard.

  2. 選取 [首頁 > 建立 Exploit Guard 原則]。Select Home > Create Exploit Guard Policy.

  3. 指定名稱和描述,選取 [ 利用防護],然後選擇 [下一步]Specify a name and a description, select Exploit protection, and then choose Next.

  4. 流覽至 exploit protection XML 檔案的位置,然後選取 [下一步]。Browse to the location of the exploit protection XML file and select Next.

  5. 請複查設定,然後選擇 [下一步] 建立原則。Review the settings, and then choose Next to create the policy.

  6. 建立原則之後,請選取 [ 關閉]。After the policy is created, select Close.

群組原則Group Policy

  1. 在您的群組原則管理裝置上,開啟 [ 群組原則管理主控台],以滑鼠右鍵按一下您要設定的群組原則物件,然後按一下 [ 編輯]。On your Group Policy management device, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.

  2. 在 [ 群組原則管理編輯器 ] 中,移至 [ 電腦 設定],然後選取 [ 管理範本]。In the Group Policy Management Editor go to Computer configuration and select Administrative templates.

  3. 展開樹狀目錄以 Windows 元件 > Windows Defender exploit > protection 利用方式保護 > 使用一組通用的 Exploit protection 設定Expand the tree to Windows components > Windows Defender Exploit Guard > Exploit Protection > Use a common set of exploit protection settings.

  4. 選取 [ 啟用 ],然後輸入 XML檔案的位置,然後選擇 [確定]Select Enabled and type the location of the XML file, and then choose OK.

PowerShellPowerShell

您可以使用 PowerShell 動詞 GetSet Cmdlet ProcessMitigationYou can use the PowerShell verb Get or Set with the cmdlet ProcessMitigation. 使用 Get 會列出已在裝置上啟用之任何緩解作業的目前設定狀態-新增 -Name Cmdlet 和應用程式 exe,以查看僅適用于該應用程式的緩解:Using Get will list the current configuration status of any mitigations that have been enabled on the device - add the -Name cmdlet and app exe to see mitigations for just that app:

Get-ProcessMitigation -Name processName.exe

重要

尚未設定的系統層級緩解措施會顯示狀態 NOTSETSystem-level mitigations that have not been configured will show a status of NOTSET.

  • 針對系統層級設定,表示已套用此 NOTSET 緩解的預設設定。For system-level settings, NOTSET indicates the default setting for that mitigation has been applied.
  • 針對應用層級設定, NOTSET 表示將會套用緩解的系統層級設定。For app-level settings, NOTSET indicates the system-level setting for the mitigation will be applied. 在 Windows 安全性中,您可以看到每個系統層級緩解的預設設定。The default setting for each system-level mitigation can be seen in the Windows Security.

使用 Set 以下列格式設定每項緩解措施:Use Set to configure each mitigation in the following format:

Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,<mitigation or options>

其中:Where:

  • <Scope>:<Scope>:
    • -Name 表示應將緩解措施套用至特定的應用程式。-Name to indicate the mitigations should be applied to a specific app. 指定此旗標之後的應用程式可執行檔。Specify the app's executable after this flag.
      • -System 若要指出應該在系統層級套用緩解-System to indicate the mitigation should be applied at the system level
  • <Action>:<Action>:
    • -Enable 啟用緩解-Enable to enable the mitigation
    • -Disable 停用緩解-Disable to disable the mitigation
  • <Mitigation>:<Mitigation>:
    • 緩解的指令程式,以及任何 suboptions (以空格括住) 。The mitigation's cmdlet along with any suboptions (surrounded with spaces). 每個緩解都是以逗號分隔。Each mitigation is separated with a comma.

例如,若要啟用資料執行防護 (DEP) 以 ATL Thunk 模擬進行緩解,並針對資料夾 C:\Apps\LOB\tests 中稱為 testing.exe 的可執行檔加以緩解,並防止該可執行檔建立子進程,您可以使用下列命令:For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called testing.exe in the folder C:\Apps\LOB\tests, and to prevent that executable from creating child processes, you'd use the following command:

Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation

重要

以逗號分隔每個緩解選項。Separate each mitigation option with commas.

如果您想要在系統層級應用 DEP,請使用下列命令:If you wanted to apply DEP at the system level, you'd use the following command:

Set-Processmitigation -System -Enable DEP

若要停用緩解,您可以取代 -Enable -DisableTo disable mitigations, you can replace -Enable with -Disable. 不過,針對應用層級的緩解,此動作只會強制停用該應用程式的緩解。However, for app-level mitigations, this action forces the mitigation to be disabled only for that app.

如果您需要將緩解措施還原回系統預設值,您也需要加入 -Remove Cmdlet,如下列範例所示:If you need to restore the mitigation back to the system default, you need to include the -Remove cmdlet as well, as in the following example:

Set-Processmitigation -Name test.exe -Remove -Disable DEP

下表列出可搭配或 Cmdlet 參數使用) 時 (和 審核 的個別項緩解 -Enable -DisableThe following table lists the individual Mitigations (and Audits, when available) to be used with the -Enable or -Disable cmdlet parameters.

緩解類型Mitigation type 適用於Applies to 緩解 Cmdlet 參數關鍵字Mitigation cmdlet parameter keyword 稽核模式 Cmdlet 參數Audit mode cmdlet parameter
控制流量防護 (CFG) Control flow guard (CFG) 系統和應用層級System and app-level CFG, StrictCFG, SuppressExportsCFG, StrictCFG, SuppressExports 無法使用審計Audit not available
資料執行防護 (DEP) Data Execution Prevention (DEP) 系統和應用層級System and app-level DEP, EmulateAtlThunksDEP, EmulateAtlThunks 無法使用審計Audit not available
(強制的 ASLR 中強制執行影像的隨機化) Force randomization for images (Mandatory ASLR) 系統和應用層級System and app-level ForceRelocateImages 無法使用審計Audit not available
在 (自下而上的 ASLR) 隨機化記憶體分配Randomize memory allocations (Bottom-Up ASLR) 系統和應用層級System and app-level BottomUp, HighEntropyBottomUp, HighEntropy 無法使用審計Audit not available
驗證例外鏈 (SEHOP) Validate exception chains (SEHOP) 系統和應用層級System and app-level SEHOP, SEHOPTelemetrySEHOP, SEHOPTelemetry 無法使用審計Audit not available
驗證堆完整性Validate heap integrity 系統和應用層級System and app-level TerminateOnError 無法使用審計Audit not available
任意代碼防護 (ACG) Arbitrary code guard (ACG) 僅限應用層級App-level only DynamicCode AuditDynamicCode
封鎖低誠信影像Block low integrity images 僅限應用層級App-level only BlockLowLabel AuditImageLoad
封鎖遠端映射Block remote images 僅限應用層級App-level only BlockRemoteImages 無法使用審計Audit not available
封鎖不受信任的字體Block untrusted fonts 僅限應用層級App-level only DisableNonSystemFonts AuditFont, FontAuditOnlyAuditFont, FontAuditOnly
程式碼整體性防護Code integrity guard 僅限應用層級App-level only BlockNonMicrosoftSigned, AllowStoreSignedBlockNonMicrosoftSigned, AllowStoreSigned AuditMicrosoftSigned, AuditStoreSignedAuditMicrosoftSigned, AuditStoreSigned
停用分機點Disable extension points 僅限應用層級App-level only ExtensionPoint 無法使用審計Audit not available
停用 Win32k 系統通話Disable Win32k system calls 僅限應用層級App-level only DisableWin32kSystemCalls AuditSystemCall
不允許子流程Do not allow child processes 僅限應用層級App-level only DisallowChildProcessCreation AuditChildProcess
匯出位址篩選 (EAF) Export address filtering (EAF) 僅限應用層級App-level only EnableExportAddressFilterPlusEnableExportAddressFilter [ 1 ] EnableExportAddressFilterPlus, EnableExportAddressFilter [1] 無法使用審核 [ 2 ] Audit not available[2]
匯入位址篩選 (IAF) Import address filtering (IAF) 僅限應用層級App-level only EnableImportAddressFilter 無法使用審核 [ 2 ] Audit not available[2]
模擬執行 (SimExec) Simulate execution (SimExec) 僅限應用層級App-level only EnableRopSimExec 無法使用審核 [ 2 ] Audit not available[2]
驗證 API 呼叫 (CallerCheck) Validate API invocation (CallerCheck) 僅限應用層級App-level only EnableRopCallerCheck 無法使用審核 [ 2 ] Audit not available[2]
驗證控制碼使用狀況Validate handle usage 僅限應用層級App-level only StrictHandle 無法使用審計Audit not available
驗證映射相依性完整性Validate image dependency integrity 僅限應用層級App-level only EnforceModuleDepencySigning 無法使用審計Audit not available
驗證堆疊整體性 (StackPivot) Validate stack integrity (StackPivot) 僅限應用層級App-level only EnableRopStackPivot 無法使用審核 [ 2 ] Audit not available[2]

[ 1 ] :使用下列格式為處理常式啟用 dll 的 EAF 模組:[1]: Use the following format to enable EAF modules for DLLs for a process:

Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll

[ 2 ] :無法透過 PowerShell Cmdlet 取得此緩解措施的審計。[2]: Audit for this mitigation is not available via PowerShell cmdlets.

自訂通知Customize the notification

如需在觸發規則時自訂通知,以及應用程式或檔案遭到封鎖的詳細資訊,請參閱Windows 安全性For information about customizing the notification when a rule is triggered and an app or file is blocked, see Windows Security.

另請參閱See also