Windows 10: Windows Defender Exploit Guard-Exploit Protection
Applies to:
Windows Server 2019
Windows 10 1809
Windows 10 1803
Windows 10 1709
Security Administrators, if you had not heard about Enhanced Mitigation Experience Toolkit (EMET), it was a preventive tool for 0 day attacks.
The replacement in Windows 10 1709 or later and Windows Server 2019 is called "Windows Defender Exploit Guard: Exploit Protection”.
A frequently asked question is, for Windows Defender Exploit Guard: Exploit Protection, do I need Windows Defender Antivirus (WD AV)?
The answer is no, you don’t need WD AV, but the other 3 components of Windows Defender Exploit Guard do require WD AV.
[What is Windows Defender Exploit Guard - Exploit Protection?]
Moving Beyond EMET
https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/
Moving Beyond EMET II – Windows Defender Exploit Guard
https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/
Windows Defender Exploit Guard
/en-us/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard
[So why Windows Defender Exploit Guard: Exploit Protection?]
If you have been keeping up with Internet Explorer 0 day vulnerabilities that had come up maybe two times a year, security tools such as EMET had stopped these on their track.
"Exploit Protection" is here to do the same type of work.
Here are some nice blog posts that go over the details of the mitigations that Windows Defender Exploit Guard: Exploit Protection stops:
The Impact of Security Science in Protecting Customers
https://cloudblogs.microsoft.com/microsoftsecure/2013/07/25/the-impact-of-security-science-in-protecting-customers/
Software Defense: mitigating heap corruption vulnerabilities
https://blogs.technet.microsoft.com/srd/2013/10/29/software-defense-mitigating-heap-corruption-vulnerabilities/
Software Defense Series: Exploit mitigation and vulnerability detection
https://blogs.technet.microsoft.com/srd/2013/09/27/software-defense-series-exploit-mitigation-and-vulnerability-detection/
Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP
https://blogs.technet.microsoft.com/srd/2009/02/02/preventing-the-exploitation-of-structured-exception-handler-seh-overwrites-with-sehop/
Preventing the exploitation of user mode heap corruption vulnerabilities
https://blogs.technet.microsoft.com/srd/2009/08/04/preventing-the-exploitation-of-user-mode-heap-corruption-vulnerabilities/
Clarifying the behavior of mandatory ASLR
https://blogs.technet.microsoft.com/srd/2017/11/21/clarifying-the-behavior-of-mandatory-aslr/
[Test / Deploy WD Exploit Guard: Exploit Protection]
Windows Defender Antivirus & Exploit Guard protection evaluation guide
https://www.microsoft.com/en-us/download/details.aspx?id=54795
TIP 1: Just like EMET, you want to add the exclusions to the mitigations that aren’t compatible with 3rd party application as described in:
2909257 EMET mitigations guidelines
https://support.microsoft.com/?id=2909257
TIP 2: Just like EMET, you are better off ‘turning off 1 or 2 or 3 mitigations’ for application compatibility reasons, rather than turning off all mitigations that Windows Defender Exploit Guard: Exploit Protection offers.
TIP 3: I would highly recommend you to set it to audit mode for 1 month or so, and see if there are compatibility warnings for your line of business applications.
List of ‘attack surface reduction’ events such as for WD EG EP:
/en-us/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard#list-of-attack-surface-reduction-events
Use “custom views” to review in “Event Viewer” to review WD EG EP:
XML for exploit protection events
/en-us/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard#xml-for-exploit-protection-events
Thanks,
Yong