疑難排解攻擊面降低規則Troubleshoot attack surface reduction rules

適用於:Applies to:

想要體驗 Defender for Endpoint?Want to experience Defender for Endpoint? 注册免費試用版。Sign up for a free trial.

當您使用 攻擊面降減規則 時,您可能會遇到問題,例如:When you use attack surface reduction rules you may run into issues, such as:

  • 規則會封鎖檔案、處理常式或執行某些其他的動作,但不應 (false 正值) A rule blocks a file, process, or performs some other action that it shouldn't (false positive)

  • 規則不會如所述那樣運作,也不會封鎖檔案或處理應該 (false 的處理常式) A rule doesn't work as described, or doesn't block a file or process that it should (false negative)

疑難排解這些問題有四個步驟:There are four steps to troubleshooting these problems:

  1. 確認必要條件Confirm prerequisites

  2. 使用稽核模式來測試規則Use audit mode to test the rule

  3. 針對誤報) 新增指定之規則 (的排除Add exclusions for the specified rule (for false positives)

  4. 提交支援記錄檔Submit support logs

確認必要條件Confirm prerequisites

攻擊面減少規則只會在裝置上運作,但有下列情況:Attack surface reduction rules will only work on devices with the following conditions:

如果已符合這些必要條件,請繼續進行下一個步驟,以審計模式測試規則。If these prerequisites have all been met, proceed to the next step to test the rule in audit mode.

使用稽核模式來測試規則Use audit mode to test the rule

您可以在demo.wd.microsoft.com中流覽 Windows Defender 測試基礎網站,以確認攻擊面降低規則一般會在裝置上預先設定的案例和程式運作,也可以使用審計模式,啟用僅限報告的規則。You can visit the Windows Defender Test ground website at demo.wd.microsoft.com to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only.

請遵循下列指示, 使用示範工具來查看攻擊面降低規則的運作方式 ,以測試您所遇到之問題的特定規則。Follow these instructions in Use the demo tool to see how attack surface reduction rules work to test the specific rule you're encountering problems with.

  1. 針對您想要測試的特定規則,啟用稽核模式。Enable audit mode for the specific rule you want to test. 使用群組原則將規則設定為「 稽核模式 」 (值: 2) 如 啟用攻擊面降低規則中所述。Use Group Policy to set the rule to Audit mode (value: 2) as described in Enable attack surface reduction rules. 稽核模式允許規則報告檔或程式,但仍允許它執行。Audit mode allows the rule to report the file or process, but will still allow it to run.

  2. 執行導致問題的活動 (例如,開啟或執行應該封鎖但允許的檔案或處理常式) 。Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed).

  3. 檢查攻擊面減少規則事件記錄 檔,以查看規則是否會封鎖檔或處理常式(如果規則已設定為 啟用)。Review the attack surface reduction rule event logs to see if the rule would have blocked the file or process if the rule had been set to Enabled.

如果規則未封鎖您預期會封鎖的檔案或進程,請先檢查是否已啟用稽核模式。If a rule isn't blocking a file or process that you're expecting it should block, first check if audit mode is enabled.

已啟用稽核模式,以測試另一個功能,或透過自動化的 PowerShell 腳本,在測試完成後可能尚未停用。Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed.

如果您已使用示範工具和審計模式來測試規則,而攻擊面降低規則正在處理預先設定的案例,但是規則未如預期運作,請根據您的情況繼續執行下列其中一節:If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule isn't working as expected, proceed to either of the following sections based on your situation:

  1. 如果攻擊面降減規則封鎖不應該封鎖的專案 (又稱為誤報) ,您可以 先新增攻擊面降減規則排除If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can first add an attack surface reduction rule exclusion.

  2. 如果攻擊面降低規則不會封鎖應該封鎖 (又稱為誤報) 的專案,則可以立即繼續進行最後一個步驟, 收集診斷資料並將問題提交給我們If the attack surface reduction rule isn't blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, collecting diagnostic data and submitting the issue to us.

新增誤報的排除Add exclusions for a false positive

如果攻擊面降減規則封鎖不應該封鎖的專案 (也稱為誤報) ,您可以新增排除專案,以防止攻擊面不足規則評估排除的檔案或資料夾。If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders.

若要新增排除,請參閱 自訂攻擊面降減To add an exclusion, see Customize Attack surface reduction.

重要

您可以指定要排除的個別檔案和資料夾,但不能指定個別規則。You can specify individual files and folders to be excluded, but you cannot specify individual rules. 這表示排除的任何檔案或資料夾都會從所有 ASR 規則中排除。This means any files or folders that are excluded will be excluded from all ASR rules.

報告誤報或 false 負數Report a false positive or false negative

使用Windows Defender Security 情報 web 型提交表單,針對網路保護報告虛假的負數或假正值。Use the Windows Defender Security Intelligence web-based submission form to report a false negative or false positive for network protection. 使用 Windows E5 訂閱,您也可以提供任何相關聯警示的連結With a Windows E5 subscription, you can also provide a link to any associated alert.

收集診斷資料以取得檔提交Collect diagnostic data for file submissions

當您報告攻擊面減少規則的問題時,系統會要求您收集並提交可供 Microsoft 支援人員和工程團隊使用的診斷資料,以協助疑難排解問題。When you report a problem with attack surface reduction rules, you're asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.

  1. 開啟提升許可權的命令提示字元,並變更為 Windows Defender 目錄:Open an elevated command prompt and change to the Windows Defender directory:

    cd "c:\program files\windows defender"
    
  2. 執行下列命令以產生診斷記錄:Run this command to generate the diagnostic logs:

    mpcmdrun -getfiles
    
  3. 根據預設,會將其儲存至 C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cabBy default, they're saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. 將檔案附加到提交表單。Attach the file to the submission form.