評估 exploit protectionEvaluate exploit protection

適用於:Applies to:

想要體驗適用於端點的 Microsoft Defender 嗎?Want to experience Microsoft Defender for Endpoint? 注册免費試用版。Sign up for a free trial.

Exploit protection 可協助保護裝置免受惡意程式碼的攻擊,利用漏洞傳播及感染其他裝置。Exploit protection helps protect devices from malware that uses exploits to spread and infect other devices. 您可以將緩解措施套用至作業系統或個別應用程式。Mitigation can be applied to either the operating system or to an individual app. 許多屬於增強型緩解體驗工具組之部分的功能包含在 exploit protection (的 EMET) 中。Many of the features that were part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. (EMET 已到達其支援的終止。 ) (The EMET has reached its end of support.)

在 [審核] 中,您可以看到測試環境中某些應用程式的緩解措施的運作方式。In audit, you can see how mitigation works for certain apps in a test environment. 這會顯示在實際執行環境中啟用 exploit protection 時, 發生什麼情況。This shows what would have happened if you enabled exploit protection in your production environment. 如此一來,您就可以驗證 exploit protection 是否對您的企業營運應用程式沒有不良影響,並查看哪些可疑或惡意的事件發生。This way, you can verify that exploit protection doesn't adversely affect your line-of-business apps, and see which suspicious or malicious events occur.


您也可以在 demo.wd.microsoft.com 流覽 Microsoft Defender Testground 網站,以查看 exploit protection 的運作方式。You can also visit the Microsoft Defender Testground website at demo.wd.microsoft.com to see how exploit protection works.

啟用 exploit protection 以進行測試Enable exploit protection for testing

您可以使用 Windows 安全性應用程式或 Windows PowerShell 設定特定程式的測試模式中的緩解。You can set mitigations in a testing mode for specific programs by using the Windows Security app or Windows PowerShell.

Windows 安全性應用程式Windows Security app

  1. 開啟 Windows 安全性應用程式。Open the Windows Security app. 選取工作列中的盾牌圖示或搜尋 Defender 的 [開始] 功能表。Select the shield icon in the task bar or search the start menu for Defender.

  2. 在左功能表列上選取 [ app & browser control (或 app 圖示) 然後選取 [利用方式 保護]。Select the App & browser control tile (or the app icon on the left menu bar) and then select Exploit protection.

  3. 移至 [ 程式設定 ],然後選擇您要套用保護的應用程式:Go to Program settings and choose the app you want to apply protection to:

    1. 如果您想要設定的應用程式已經列出,請選取它,然後選取 [編輯]If the app you want to configure is already listed, select it and then select Edit
    2. 如果清單頂端沒有列出該應用程式,請選取 [ 新增程式] 進行自訂If the app is not listed at the top of the list select Add program to customize. 然後,選擇您想要新增應用程式的方式。Then, choose how you want to add the app.
      • 使用 [ 依程式名稱新增 ],可對任何執行的程式套用具有該名稱的緩解。Use Add by program name to have the mitigation applied to any running process with that name. 指定副檔名為的檔案。Specify a file with an extension. 您可以輸入完整的路徑,以限制僅限此位置的應用程式的緩解。You can enter a full path to limit the mitigation to only the app with that name in that location.
      • 使用 [選擇確切 的檔案路徑],使用標準的 Windows Explorer 檔案選擇器] 視窗來尋找並選取您想要的檔。Use Choose exact file path to use a standard Windows Explorer file picker window to find and select the file you want.
  4. 選取應用程式之後,您會看到可套用的所有緩解措施清單。After selecting the app, you'll see a list of all the mitigations that can be applied. 選擇 [ 審計 ] 只會在審計模式中套用緩解。Choosing Audit will apply the mitigation in audit mode only. 如果您需要重新開機程式、應用程式或 Windows,您將會收到通知。You'll be notified if you need to restart the process, app, or Windows.

  5. 針對您要設定的所有應用程式與緩解方法,重複此程式。Repeat this procedure for all the apps and mitigations you want to configure. 當您設定好 設定後, 請選取 [套用]。Select Apply when you're done setting up your configuration.


若要將應用層級的緩解設定為稽核模式,請搭配使用 Set-ProcessMitigation audit mode Cmdlet。To set app-level mitigations to audit mode, use Set-ProcessMitigation with the Audit mode cmdlet.

以下列格式設定每項緩解措施:Configure each mitigation in the following format:

Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,<mitigation or options>


* \<Scope>:
  * `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
* \<Action>:
  * `-Enable` to enable the mitigation
    * `-Disable` to disable the mitigation
* \<Mitigation>:
  * The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma.
風險降低Mitigation 稽核模式 CmdletAudit mode cmdlet
任意代碼防護 (ACG) Arbitrary Code Guard (ACG) AuditDynamicCode
封鎖低誠信影像Block low integrity images AuditImageLoad
封鎖不受信任的字體Block untrusted fonts AuditFont, FontAuditOnlyAuditFont, FontAuditOnly
程式碼整體性防護Code integrity guard AuditMicrosoftSigned, AuditStoreSignedAuditMicrosoftSigned, AuditStoreSigned
停用 Win32k 系統通話Disable Win32k system calls AuditSystemCall
不允許子流程Do not allow child processes AuditChildProcess

例如,若要在名為 testing.exe 的應用程式的審計模式中,啟用任意代碼保護 (ACG) ,請執行下列命令:For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named testing.exe, run the following command:

Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode

您可以透過取代來停用 審計模式 -Enable -DisableYou can disable audit mode by replacing -Enable with -Disable.

檢查 exploit protection 審核事件Review exploit protection audit events

若要複查哪些應用程式被封鎖,請在 Security-Mitigations 記錄中開啟事件檢視器並篩選下列事件。To review which apps would have been blocked, open Event Viewer and filter for the following events in the Security-Mitigations log.

功能Feature 提供者/來源Provider/source 事件識別碼Event ID 描述Description
入侵防護Exploit protection Security-Mitigations (核心模式/使用者模式) Security-Mitigations (Kernel Mode/User Mode) 11 ACG 審核ACG audit
入侵防護Exploit protection Security-Mitigations (核心模式/使用者模式) Security-Mitigations (Kernel Mode/User Mode) 3 不允許子進程審核Do not allow child processes audit
入侵防護Exploit protection Security-Mitigations (核心模式/使用者模式) Security-Mitigations (Kernel Mode/User Mode) 5 5 封鎖低誠信影像的審計Block low integrity images audit
入侵防護Exploit protection Security-Mitigations (核心模式/使用者模式) Security-Mitigations (Kernel Mode/User Mode) 7 7 封鎖遠端影像審計Block remote images audit
入侵防護Exploit protection Security-Mitigations (核心模式/使用者模式) Security-Mitigations (Kernel Mode/User Mode) 9 9 停用 win32k 系統通話審計Disable win32k system calls audit
入侵防護Exploit protection Security-Mitigations (核心模式/使用者模式) Security-Mitigations (Kernel Mode/User Mode) 11 程式碼完整性保護審計Code integrity guard audit

另請參閱See also