Categories
Design

How windows defender’s new exploit protection works (and how to configure it)

By Sarah | Follow | Last Updated November 26, 2020

Summary :

How windows defender’s new exploit protection works (and how to configure it)

Windows Defender is the snap-in antivirus tool in Windows operating systems. Users can protect their systems, drives, and data easily by using Windows Defender, which is turned on by default. But is Windows Defender good enough? This post will focus on the comparison between Windows Defender and similar software, like McAfee, Avast, and Bitdefender.

Is Windows Defender Good Enough

What Is Windows Defender

As you know, Windows Defender is the antivirus program provided by Microsoft to protect every Windows operating system against virus, malware, spyware, and potential threat.

The history of Windows Defender:

  • Windows Defender was first released in Windows XP as a downloadable free antivirus program.
  • Later, Microsoft started to ship Windows Vista and Windows 7 with Windows Defender.
  • In Windows 8 and later versions, Windows Defender has been changed to a full antivirus program to replace Microsoft Security Essentials.
  • Windows Defender has been renamed to Windows Security in the newer releases of Windows 10.

But, is Windows Defender better than McAfee or other similar software? The answer depends much on your actual needs. (MiniTool Solution works hard on data protection, system performance optimization, and media files management on Windows systems.)

Windows Defender vs McAfee

Windows Defender Review 2020

You may love Windows Defender due to the following pros:

  • It is free and pre-installed in Windows.
  • It is turned on by default to provide overall protection.
  • It offers real-time protection & cloud-based protection against viruses, malware, spyware, etc.
  • It also provides parental controls on your device.
  • The offline scans and reboots help to eliminate persistent malware.
  • The firewall and Find My Device tools included are very useful.

However, the Windows Defender is not good enough due to the following reasons:

  • It is able to protect only a single Windows device.
  • It offers only on-demand scanning & real-time malicious threat protection.
  • The parental controls provided by it are only limited to the Microsoft browsers.
  • It doesn’t provide protection against email spam, phishing, or online privacy.
  • It fails to block many instances of malware, especially the new ones.
  • There’s no regular update to Windows Defender.

In short, Windows Defender is not enough to protect your devices. You can use it for traditional antivirus and other antivirus software for Anti-Malware and Anti-Exploit.

How windows defender’s new exploit protection works (and how to configure it)

Please note: in order to protect your data against virus/malware attack, you’d better download a MiniTool Power Data Recovery by clicking the button below.

What Is McAfee

McAfee is also one of the world famous antivirus solutions. It provides four antivirus packages for users to choose from:

  • Total Protection Single Device: the basic functions are malware protection, password protection, a VPN, and a firewall. This can be used by only one user and one device. It costs $29.99 for the first year and $79.99 for each subsequent year.
  • Total Protection Individual & Couples: in addition to the basic functions, identity theft protection, encrypted storage, and McAfee Shredder are also added. This can be used by five users and devices. It costs $34.99/$99.99.
  • Total Protection Family: an advanced feature has been added to this package – parental controls. It can be used on 10 different devices and costs $39.99/$119.99.
  • McAfee LiveSafe: a series of application-specific protections are included in this package. It costs $39.99/$119.99 and there’s no limit in the number of devices using it.

Pros of McAfee:

  • The VPN feature is included in all packages.
  • All packages give support to Windows, macOS, iOS, and Android.
  • The McAfee Shredder helps you to erase files without leaving any traces.
  • There’s Virus Protection Pledge money-back malware removal guarantee.

Cons of McAfee:

  • Only the auto-renewal contains VPN and identity theft protection.
  • McAfee may slow down your computer especially when it runs on Windows 10.

Windows Defender vs Avast

Avast is an internet security application supporting different platforms: Windows, macOS, Android and iOS; it provides both freeware and paid versions for users to choose. In addition to the antivirus software, it also provides: firewall, browser security, computer security, anti-phishing, antispyware, and anti-spam.

Even the freeware seems enough to protect your device. However, there’s news said that Avast is allegedly selling users’ data. So I don’t recommend it; it’s safer to use the built-in Windows Defender.

Windows Defender vs Bitdefender

Bitdefender is a Romanian company famous for cybersecurity and anti-virus software. The free version of Bitdefender is powerful for home users with basic real-time protection while the premium version offers advanced features not included in Windows Defender.

3 main reasons to choose Bitdefender over Windows Defender:

  • Bitdefender can detect 100% of the malware files on your devices, all thanks to the advanced malware scanning engine; but Windows Defender/Windows Security can’t.
  • The free version of Bitdefender is lightweight and easier to use when compared to Windows Defender.
  • The premium ransomware protection feature and Safe Files included in the paid version is wonderful; but Windows Defender doesn’t include similar features.

In addition to the antivirus programs mentioned above, you can also choose Malwarebytes, Kaspersky, TotalAV, Avira, Sophos Home, Trend Micro, etc.

  • Facebook
  • Twitter
  • Linkedin
  • Reddit

ABOUT THE AUTHOR

How windows defender’s new exploit protection works (and how to configure it)

Position: Columnist

Sarah is working as editor at MiniTool since she was graduated from university, having rich writing experiences. Love to help other people out from computer problems, disk issues, and data loss dilemma and specialize in these things. She said it’s a wonderful thing to see people solving their problems on PC, mobile photos, and other devices; it’s a sense of accomplishment. Sarah likes to make friends in life and she’s a huge music fan.

Windows Defender acts as the first line of defense against any malware, spyware infections that might have affected your computer. Microsoft provides this free anti-malware program to customers using Windows 10/8/7/Vista. It allows end-users to schedule a scan or manually run a quick, full, or custom scan.

How windows defender’s new exploit protection works (and how to configure it)

However, sometimes, a user may experience issues enabling Windows Defender application in Windows. He may find that his Windows Defender is turned off or not working. Also, if your Windows Defender disables itself automatically – every time you start your Windows computer, or at any time randomly when you are working on your PC, here are a few things you may want to investigate.

This article explains you the troubleshooting procedure to resolve the same.

Windows Defender is turned off or not working

You may receive a message: Windows Defender has been turned off, and it isn’t monitoring your computer.

If you have another antivirus software installed, it will turn off Windows Defender. But if you do not and yet, then you might want to carry out the following troubleshooting steps:

  1. Install the latest Windows Updates
  2. Reinstall any third-party antivirus you may have installed
  3. Run an offline malware scan
  4. Enable Windows Defender via Action Center
  5. Check Defender Service status
  6. Re-register these DLL files
  7. Check Registry setting
  8. Perform consistency check on WMI repository.

1] Install the latest Windows Updates

Check if you have all the latest Windows Updates installed, including having the latest version of Windows Defender and its definitions.

2] Reinstall any third-party antivirus you may have installed

Did you uninstall any security software recently – especially Norton or McAfee? If so maybe its partial uninstallation is causing issues. Use McAfee Consumer Products Removal Tool or some antivirus removal tool to ensure that you have even removed its remnants.

3] Run an offline malware scan

Have you checked your computer for malware? Or did you just recover from a malware attack? I suggest you download and run a stand-alone portable antivirus scanner and run an offline scan from your USB – or else use an online antivirus scanner service to scan your PC.

4] Enable Windows Defender via Action Center

Open Action Center and see if you can enable Windows Defender.

5] Check Defender Service status

Run services.msc to open Services Manager. Ensure that the Windows Defender service is started and set to Automatic.

6] Re-register these DLL files

If Windows Defender Service (WinDefend) or Windows Defender Network Inspection Service (WdNisSvc) of Windows Defender keeps stopping, turning off or could not start,

Re-register the following dll files and see if it helps you. Run each command in an elevated command prompt one after the other and hit Enter:

You can use our freeware FixWin to reset Windows Defender to default settings.

7] Check Registry setting

Run regedit and navigate to the following key:

Here ensure that the value of these DWORDS is 1: DisableAntiSpyware and DisableAntiVirus.

If it is 0, then you will have to use our freeware RegOwnit to take ownership of these Registry keys and then change its value from 0 to 1. RegOwnit allows you to take ownership of a Windows Registry key using Administrator, Home Users, or the current Logged On User account.

8] Perform consistency check on WMI repository

It may also happen that Windows Security Center may prompt you to “Check Settings” for the Malware Protection, and when you click the “Turn on now” button, it may show an error that says There are no new definitions available to download for Windows Defender“.

It may be possible that the issue may have been caused due to an inconsistent WMI repository. Restarting the WMI repository should thus help resolve the issue.

Open Command Prompt as an Administrator. Type the following command and hit Enter:

If you get a message “WMI repository is not consistent“, run the following command:

This will perform a consistency check on the WMI repository and resolve the issue. Restart your machine.

Try enabling Windows Defender now.

If you get the following message instead, winmgmt /salvagerepository is failed, ignore this message, and again run “winmgmt /salvagerepository“. This time, it should help.

This post titled Unable to turn on Windows Defender offers some additional troubleshooting suggestions, which may also interest you. You may also want to check the Windows Defender error code you receive and see if any resolution is available at Microsoft.

Date: October 1, 2020 Tags: Windows Defender

I have a question.

Is Windows Defender’s “protected folders” feature able to prevent Petya-like (MBR/GPT encryption)

ransomware if the root drives are added to the list?

Report abuse

Replies (5) 

Keep Windows operating system – Anti-virus other applications updated –

I would like to add that it’s critically important to backup regularly and store your backups in a location that is not connected to your computer.

Backing up is always critically important, but in the case of a successful ransomware attack, you can simply erase your hard drive and restore a backup. There’s no r ə eason to pay ransom to a criminal when you can restore your computer in a matter of minutes.

Remember to save your pictures, documents and other personal stuff on external devices, like (Blu-ray disks, DVDs, CDs), memory cards (CompactFlash card, Secure Digital card, Memory Stick), and USB flash drives., or something more roomy like Səagate.

It’s NOT enough to sync these with OneDrive!

If already using an external hard-disk, keep it offline, when not in use!

Report abuse

Was this reply helpful?

Sorry this didn’t help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Thank you for your feedback.

My curiosity here was not linked to detection by signatures.

Let’s assume there is a 0-day (completely new) Petya variant today that signatures

cannot detect yet.

If I add the system drive to the Protected Folders list (which should protect me

from ransomware behaviors), will I be protected from MBR/GPT ransomware or not?

In Other words, does Protected Folders feature prevent only “regular” ransomware (file encrypting)

or also Boot time ones (“MBR/GPT” encrypting)?

Report abuse

Was this reply helpful?

Sorry this didn’t help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Since the Ransom:Win32/Petya malware has included worm capabilities such as the SMB vulnerabilities to infect machines, the only way to stop this method of installation would be to properly patch systems in a timely manner to avoid the initial infection.

The Protect Folders feature is designed to more effectively deal with those ransomware which abuse the Windows Application Data (AppDat) or similar well known system folders in order to initially install the files which perform the actual infection.

Anything that operates completely in memory wouldn’t be able to be blocked by securing folders. Even if the initial stages of this malware required writing some of its files to disk, the fact that each new iteration has used a different method of entry into the machine has meant that predicting which folder(s) might be involved in advance is impossible.

See the Technical Information section of the Petya malware threat description I linked above to see what I’m talking about.

Windows Defender Exploit-Guard Configuration

This Script provides:

  • Configure Windows Defender Exploit-Guard by using PowerShell
  • Reset all ProcessMitigations to get a clean (unconfigured) state
  • Import clean Default-Configuration shipped with the OS
  • Import clean recommended Baseline Configuration
  • Configure Attack Surface Reduction and check actual Configuration of ASR

What’s the Problem?

Windows 10 v1709 (RS3) includes Windows Defender ExploitGuard (Windows Defender EG), the successor of EMET. There are two powershell commandlets Get-ProcessMitigation and Set-ProcessMitigation for Configuring the Exploit-Guard Configuration by using scripts, but currently in Windows 10 v1709 (RS3) there are following bugs and a lack of functionality:

  • Get-ProcessMitigation commandlet does not list these executables configured by full-path, only lists those which are defined by plain executable-names without path
  • Set-ProcessMitigation commandlet has no functionality to delete a configured process-mitigation or to delete all configured per-process-mitigations like the EMET-Commandline-Tool EMET_Conf –delete

or EMET_Conf –delete_apps or EMET_Conf –delete_all provided

  • Additionaly in the current (tested 26.01.2018) InsiderBuild of Win10 RS4 (v1803) there is a default process-mitigation for CameraBarcodeScannerPreview.exe with Registry-Permissions only for TrustedInstaller (SYSTEM or Administrator have no rights to modify these, this leads to Exceptions / Errors)
    • Removes all currently configured ProcessMitigations
    • Can handle such ProcessMitigations that are configured by plain Executable-Names like notepad.exe as well as full-path Configurations like C:\Windows\system32\notepad.exe
    • Can handle Configurations which are unmodifyable by Administrators because ACLs are set to TrustedInstaller by Taking Ownership and resetting the ACLs to defaults (Inherited ACLs)

    Demonstration of the Output:

    • uses Remove-all-ProcessMitigations.ps1 to remove the Configuration
    • Sets the System-Configuration of Exploit-Guard to default
    • Imports the Exploit-Guard Default-Settings of Windows 10 v1703 which are provided by Windows10-v1709_ExploitGuard-DefaultSettings.xml
    • Imports the recommended Baseline-Settings for Windows 10 v1703 which are provided by Windows10-v1709_ExploitGuard-Security-Baseline.xml

    Source of the XML-Files

    • Windows10-v1709_ExploitGuard-DefaultSettings.xml is taken from a fresh Windows 10 v1709 Machine
    • Windows10-v1803_ExploitGuard-DefaultSettings.xml is taken from a fresh Windows 10 v1803 Machine
    • Windows10-v1809_ExploitGuard-DefaultSettings.xml is taken from a fresh Windows 10 v1809 Machine
    • Windows10-v1903_ExploitGuard-DefaultSettings.xml is taken from a fresh Windows 10 v1903 Machine
    • Windows10-v1909_ExploitGuard-DefaultSettings.xml is taken from a fresh Windows 10 v1909 Machine (but no Changes to v1903)
    • Windows10-v1709_ExploitGuard-Security-Baseline.xml is taken from the official Microsoft v1709 Baseline
    • Windows10-v1803_ExploitGuard-Security-Baseline.xml is taken from the official Microsoft v1803 Baseline
    • Windows10-v1809_ExploitGuard-Security-Baseline.xml is taken from the official Microsoft v1809 Baseline
    • Windows10-v1903_ExploitGuard-Security-Baseline.xml is taken from the official Microsoft v1903 Baseline
    • Windows10-v1909_ExploitGuard-Security-Baseline.xml is taken from the official Microsoft v1909 Baseline
    • Documentation of Exploit-Guard
    • EMET – Enhanced Mitigation Experience Toolkit

    WD – Exploit Guard – Attack Surface Reduction Rules

    • Enable-ExploitGuard-AttackSurfaceReduction.ps1 – Script for Configuring ASR
    • Further Information on this See my Blog-Post (in German Language)
    • Demo-Output:

    About

    Configure Windows Defender ExploitGuard, Reset all ProcessMitigation, Import clean recommended Baseline Configuration

    Exploit Protection can be enabled in Windows 10 Fall Creators Update to increase the security of the operating system. Using this feature, you can mitigate threats and stay secure even if you have some untrusted or less secure app. In this article, we’ll see how to configure and use this feature.

    The Exploit Protection feature in Windows 10 is the reincarnation of Microsoft’s EMET project. EMET, or the Enhanced Mitigation Experience Toolkit, is a separate tool for Windows. It allows you to interrupt and foil many of the common exploit kits employed by attackers without waiting for security patches.

    EMET is discontinued by Microsoft as a standalone app. Instead, Windows 10 Fall Creators update is getting a built-in EMET-like protection. It is integrated in Windows Defender Security Center and can be configured there.

    To enable Exploit Protection in Windows 10, do the following.

    1. Open the Windows Defender Security Center.
    2. Click the App & browser control icon.
    3. Scroll the page down to the Exploit protection settings link and click it.
    4. Click the System settings category under Exploit protection. Here, you can change the required system settings. Every time you change an option here, the operating system shows a UAC prompt which needs to be confirmed.
    5. The Program settings category in the Exploit protection section will allow you to customize settings for individual apps. Once you open it, click the button +Add program to customize and add an app you want to secure.
    6. In the drop down menu, you can select the app by its name or browse for the executable file.
    7. Once you add the app, it will appear in the list. There, you can customize its options or remove it from the list.

    Select the app and click the appropriate button (Edit or Remove).

  • There are many options you can apply for individual apps. By default, they are inherited from the system options you set on the “System Settings” tab, but you can override most of them here, on the “Program Settings” tab.
  • Once you have changed the desired options, it is a good idea to restart your computer to ensure that all the required apps are protected.
  • Tip: The Exploit Protection feature is a work-in-progress as of this writing. Microsoft is going to update the official documentation HERE and share more details on how to configure and use this feature. Once this is done, the article will be updated.

    Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:

    Share this post

    About Sergey Tkachenko

    Sergey Tkachenko is a software developer from Russia who started Winaero back in 2011. On this blog, Sergey is writing about everything connected to Microsoft, Windows and popular software. Follow him on Telegram, Twitter, and YouTube.

    4 thoughts on “ How to Enable Exploit Protection in Windows 10 ”

    i don’t see the settings, i am using win10 version 1703

    Can you still enable Exploit Protection if I install another anti-virus software like ESET or Kaspersky?

    Hmm, I have not tried myself. But I think it SHOULD work, because the EMET technology didn’t rely on defender.

    I’m sorry, it will be available in Windows 10 Fall Creators Update

    Leave a Reply Cancel reply

    Connect with us

    We discontinued Facebook to deliver our post updates.

    Network Protection is a new security feature of Windows Defender that Microsoft introduced in the Fall Creators Update for its Windows 10 operating system.

    It extends Windows Defender SmartScreen by blocking outbound (HTTP and HTTPS) traffic connecting to resources that have a low reputation.

    The feature is part of Windows Defender Exploit Guard, and it requires that Windows Defender is turned on, and that the security program’s real-time protection feature is enabled as well.

    Tip: check out our previews guides on Controlled Folder Access, Exploit Protection and Attack Surface Reduction for a complete overview of the new security features.

    Windows Defender Network protection

    System administrators and users may configure the Network protection feature of Windows Defender using policies, PowerShell or MDM CSPs.

    Group Policy

    How windows defender’s new exploit protection works (and how to configure it)

    You can use the Group Policy to enable the Network protection feature on Windows 10 Fall Creators Update (or newer) PCs.

    Note: The Group Policy Editor is not available on Home editions of Windows 10.

    1. Tap on the Windows-key, type gpedit.msc and hit the Enter-key to load the Group Policy Editor.
    2. Navigate to Computer Configuration > Administrative Templates > Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Network protection.
    3. Load “Prevent users and apps from accessing dangerous websites” with a double-click.
    4. Set the policy to enabled, and assign it one of the available modes:
      1. Block — Malicious IP addresses and domains are blocked.
      2. Disabled (default) — The feature is not active.
      3. Audit Mode — This records blocked events but won’t block the events.

    Using PowerShell

    You may use the PowerShell instead to manage the Network protection feature. The following commands are available:

    • Set-MpPreference -EnableNetworkProtection Enabled
    • Set-MpPreference -EnableNetworkProtection AuditMode
    • Set-MpPreference -EnableNetworkProtection Disabled

    You need to open an elevated PowerShell prompt to run these commands:

    1. Tap on the Windows-key, type PowerShell, hold down the Shift-key and the Ctrl-key, and select PowerShell from the results to open a PowerShell interface with administrative privileges.

    Network protection events

    Events are recorded when the feature is enabled. Microsoft published a resource package that includes custom views for Event Viewer to make things easier for administrators.

    1. Download the Exploit Guard Evaluation Package from Microsoft.
    2. Extract the package to the local system.
    3. It contains custom XML views for all Exploit Guard events. You need the file np-events.xml for the custom network protection event view.
    4. Tap on the Windows-key, type Event Viewer, and select the entry that is returned by search.
    5. Select Action > Import Custom View.
    6. Load np-events.xml and select ok to add the view to the Event Viewer.

    The following events are written to the log when the security feature is enabled on Windows 10 machines:

    • Event 1125 — Audit-mode events.
    • Event 1126 — Block-mode events.
    • Event 5007 — Settings modification events

    With the advancement in technology, computers are now connected to the internet most of the time. Even for most users, some of the work-related stuff is dependent on internet-powered tools.

    Even for casual home users, internet connectivity has become a necessity to access information or to just consume media content through Netflix, Amazon Prime, etc.

    However, as your computer system connects to the outside world, the security risk also increases. But, Windows 10 operating system comes with an in-built security tool named Windows Defender.

    Although the primary job of the Windows Defender application on the Windows 10 OS is to protect the system from viruses and malware, the company has also added other powerful features, like exploit mitigation.

    In this guide, we will show you a step-by-step process on how you can enable and configure the exploit protection feature through Windows Defender application on your Windows 10 computer.

    How to enable Windows 10 Exploit Protection

    Step 1: Open Windows Defender on your computer. To do so, go to Start Menu and type in “Windows Defender” and click on the first application that you get in the search results — Windows Defender Security Center.

    How windows defender’s new exploit protection works (and how to configure it)

    Step 2: Now, in the Windows Defender, click on “App & Browser Control.”

    Step 3: Scroll down to the bottom of the screen and find “Exploit Protection.”

    How windows defender’s new exploit protection works (and how to configure it)

    Step 4: In the new window that opens, customize the system as well as program settings based on your preference.

    Step 5: When done, just click on the “Apply” button and that’s it.

    How windows defender’s new exploit protection works (and how to configure it)

    To make sure that your Windows 10 computer is protected, make sure that you are doing the following tasks, which are quite crucial when it comes to the security of your system and to protect your computer.

    • Install all the latest Windows updates. If you have disabled the automatic update on your computer, make sure to manually update at regular intervals.
    • Whenever Microsoft releases a major or latest version update for the operating system, make a point to install the newer version.
    • You can also run a full system scan periodically on your computer using the Windows Defender. It’s also a good idea to install a third-party anti-virus or anti-malware software on your device.

    Hey guys, if you recall, a few months ago I posted a great new article about a new security possibility called Exploit Guard -In that article, I did my best to summarize everything related to configuring and applying this security possibility using Group Policy. If you want to read more about this, please follow this link:
    https://www.pelegit.co.il/windows-10-new-security-features-eg/

    So, today I’d like to go over how to deploy this security possibility to accomplish the same purpose using SCCM.

    We already know a little bit about Exploit Guard requirements:

    Attack Surface Reduction Devices must have Windows Defender AV real-time protection enabled.
    Controlled folder access Devices must have Windows Defender AV real-time protection enabled.

    Exploit protection –
    Network protection Devices must have Windows Defender AV real-time protection enabled.

    When updating the System Center to 1802, you can see that they offer the “Windows Defender Exploit Guard” as an available feature. Once you enable it and install the update you will see under “Assets and Compliance” > “End Point Protection” the “Windows Defender Exploit Guard” available:

    Let’s see how to deploy this:

    How windows defender’s new exploit protection works (and how to configure it)

    Now we have to state some general information for EG. I’m going to leave off on “Exploit Protection” for a moment.

    EG requires an XML file which is not available to me right now.

    How windows defender’s new exploit protection works (and how to configure it)

    The first step is to configure the “Attach Surface Reduction” with the following options:

    How windows defender’s new exploit protection works (and how to configure it)

    Controlled Configure the Folder Access which blocks malicious or suspicious apps.

    You should also insert apps which are allowed to make changes in the protected folders.- For example:

    How windows defender’s new exploit protection works (and how to configure it)

    Set protected additional folders:

    How windows defender’s new exploit protection works (and how to configure it)

    Configure Network protection:

    How windows defender’s new exploit protection works (and how to configure it)

    And most important- Deploy the policy to the certain collection:

    How windows defender’s new exploit protection works (and how to configure it)

    After 30-40 minutes the clients get the policy:

    How windows defender’s new exploit protection works (and how to configure it)

    Try to compress several folders with “Winrar” and save into protected location:

    How windows defender’s new exploit protection works (and how to configure it)

    Getting an error? Asking yourself why? It’s because the Music folder is a protected folder by default, by reason of its user personal folders, Winrar is not going to allow it to make any changes to protected folders.

    How windows defender’s new exploit protection works (and how to configure it)

    So let’s allow the Winrar in our Controlled folder access (from the client side, you can do the same on SCCM)- and now it works

    How windows defender’s new exploit protection works (and how to configure it)

    FOA, In conclusion, if you are using CFA and you aren’t allowing a certain app to run on the protected folder you won’t be able to do any action with that app on the protected folder – You must allow the App!
    Secondly, you can add some folder’s paths which can be protected location as well, by default windows folder and user folder are protected, but sometimes there are some location which should be added manually if you want them to be protected.

    My endpoint antimalware policy set to exclude JPG:

    This type of excluding just helps the scan complete faster… these paths will be skipped

    By CHEF-KOCH
    Post date

    Windows Defender Exploit Guard runs all the security benefits necessary to keep intrusion threats at bay. A characteristic feature of this tool is ‘Exploit Protection’. It automatically applies to many exploit mitigation techniques. This capability can be tested inside the Windows Defender Security Center under App & browser control > Exploit protection. By accessing the Exploit protection settings, you can control system-wide settings and program-specific overrides. Let us learn how to configure, and manage Windows system and application exploit mitigations using Windows Defender Exploit Guard (WDEG).

    Windows Defender Exploit Guard

    Exploit Guard can be found in the Security Analytics dashboard of the Windows Defender ATP console. Its primary function is to enable enterprises to view how the feature is configured across their device and to drive compliance with recommendations based on best practice security configurations.

    You can configure Windows Exploit Guard for:

    • Attack surface reduction
    • Exploit Protection
    • Network Protection
    • Controlled Folder Access

    All the Windows Defender Exploit Guard components can be readily managed by:

    • Group Policy (GP)
    • System Center Configuration Manager (SCCM)
    • Mobile Device Management (MDM) such as Microsoft Intune.

    These components can run in both Audit and Block modes. If any instance of malicious behavior is observed, when Block mode is enabled, Windows Defender Exploit Guard automatically blocks the event from occurring in real-time.

    I think the new Microsoft features are good and they can definitely help keep an end-point secure, there’s no doubt about that. As long as they are used correctly and all work properly. I’ve not tested them all of course, I’ve experimented with a few Anti-Exploit features in Windows 10 though.

    Features & Benefits

    • Exploit Guard per-application mitigation for Windows Word, PowerPoint & Excel.
    • Block remote images – Prevents loading of images from remote devices.
    • Code integrity guard, restricts loading of images signed by Microsoft, WQL and higher. Can optionally allow Microsoft Store signed images.
    • Disable extension points – Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers.
    • Do not allow child processes – prefer this one through GUI instead of clunky ps1 script. – Prevents an app from creating child processes.

    ASR rules through PS-1 script. Run powershell as admin and copy these lines.

    # Block Office applications from injecting code into other processes
    Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enabled

    # Block Office applications from creating executable content
    Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled

    # Block JavaScript or VBScript from launching downloaded executable content
    Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled

    # Block execution of potentially obfuscated scripts
    Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Enabled

    # Block executable content from email client and webmail
    Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled

    # Block Win32 API calls from Office macro
    Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled

    Windows Registry Editor Version 5.00