Evaluate exploit protection
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
Exploit protection helps protect devices from malware that uses exploits to spread and infect other devices. Mitigation can be applied to either the operating system or to an individual app. Many of the features that were part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. (The EMET has reached its end of support.)
In audit, you can see how mitigation works for certain apps in a test environment. This shows what would happen if you enable exploit protection in your production environment. This way, you can verify that exploit protection doesn't adversely affect your line-of-business apps, and see which suspicious or malicious events occur.
Generic guidelines
Exploit protection mitigations work at a low level in the operating system, and some kinds of software that perform similar low-level operations might have compatibility issues when they're configured to be protected by using exploit protection.
What kinds of software shouldn't be protected by exploit protection?
- Anti-malware and intrusion prevention or detection software
- Debuggers
- Software that handles digital rights management (DRM) technologies (that is, video games)
- Software that use anti-debugging, obfuscation, or hooking technologies
What type of applications should you consider enabling exploit protection?
Applications that receive or handle untrusted data.
What type of processes are out of scope for exploit protection?
Services
- System services
- Network services
Exploit protection mitigations enabled by default
| Mitigation | Enabled by default |
|---|---|
| Data Execution Prevention (DEP) | 64-bit and 32-bit applications |
| Validate exception chains (SEHOP) | 64-bit applications |
| Validate heap integrity | 64-bit and 32-bit applications |
Deprecated "Program settings" mitigations
| “Program settings” mitigations | Reason |
|---|---|
| Export address filtering (EAF) | Application compatibility issues |
| Import address filtering (IAF) | Application compatibility issues |
| Simulate execution (SimExec) | Replaced with Arbitrary Code Guard (ACG) |
| Validate API invocation (CallerCheck) | Replaced with Arbitrary Code Guard (ACG) |
| Validate stack integrity (StackPivot) | Replaced with Arbitrary Code Guard (ACG) |
Office application best practices
Instead of using Exploit Protection for Office applications such as Outlook, Word, Excel, PowerPoint, and OneNote, consider using a more modern approach to prevent their misuse: Attack Surface Reduction rules (ASR rules):
- Block executable content from email client and webmail
- Block Office applications from creating executable content
- Block all Office applications from creating child processes
- Block Office communication application from creating child processes
- Block Office applications from injecting code into other processes
- Block execution of potentially obfuscated scripts
- Block Win32 API calls from Office macros
For Adobe Reader use the following ASR rule:
• Block Adobe Reader from creating child processes
Application compatibility list
The following table lists specific products that have compatibility issues with the mitigations that are included in exploit protection. You must disable specific incompatible mitigations if you want to protect the product by using exploit protection. Be aware that this list takes into consideration the default settings for the latest versions of the product. Compatibility issues can introduced when you apply certain add-ins or other components to the standard software.
| Product | Exploit protection mitigation |
|---|---|
| .NET 2.0/3.5 | EAF/IAF |
| 7-Zip Console/GUI/File Manager | EAF |
| AMD 62xx processors | EAF |
| Avecto (Beyond Trust) Power Broker | EAF, EAF+, Stack Pivot |
| Certain AMD (ATI) video drivers | System ASLR=AlwaysOn |
| DropBox | EAF |
| Excel Power Query, Power View, Power Map and PowerPivot | EAF |
| Google Chrome | EAF+ |
| Immidio Flex+ | EAF |
| Microsoft Office Web Components (OWC) | System DEP=AlwaysOn |
| Microsoft PowerPoint | EAF |
| Microsoft Teams | EAF+ |
| Oracle Javaǂ | Heapspray |
| Pitney Bowes Print Audit 6 | SimExecFlow |
| Siebel CRM version is 8.1.1.9 | SEHOP |
| Skype | EAF |
| SolarWinds Syslogd Manager | EAF |
| Windows Media Player | MandatoryASLR, EAF |
ǂ EMET mitigations might be incompatible with Oracle Java when they're run by using settings that reserve a large chunk of memory for the virtual machine (that is, by using the -Xms option).
Enable exploit protection system settings for testing
These Exploit Protection system settings are enabled by default except for the Mandatory Address Space Layout Randomization (ASLR) on Windows 10 and later, Windows Server 2019 and later, and on Windows Server version 1803 core edition and later.
| System settings | Setting |
|---|---|
| Control flow guard (CFG) | Use default (On) |
| Data Execution Prevention (DEP) | Use default (On) |
| Force randomization for images (Mandatory ASRL) | Use default (Off) |
| Randomize memory allocations (Bottom-up ASRL) | Use default (On) |
| High-entropy ASRL | Use default (On) |
| Validate exception chains (SEHOP) | Use default (On) |
The xml sample is available below
<?xml version="1.0" encoding="UTF-8"?>
<MitigationPolicy>
<SystemConfig>
<DEP Enable="true" EmulateAtlThunks="false" />
<ASLR ForceRelocateImages="false" RequireInfo="false" BottomUp="true" HighEntropy="true" />
<ControlFlowGuard Enable="true" SuppressExports="false" />
<SEHOP Enable="true" TelemetryOnly="false" />
<Heap TerminateOnError="true" />
</SystemConfig>
</MitigationPolicy>
Enable exploit protection program settings for testing
Tip
We highly recommend reviewing the modern approach for vulnerability mitigations, which is to use Attack Surface Reduction rules (ASR rules).
You can set mitigations in a testing mode for specific programs by using the Windows Security app or Windows PowerShell.
Windows Security app
Open the Windows Security app. Select the shield icon in the task bar or search the start menu for Windows Security.
Select the App & browser control tile (or the app icon on the left menu bar) and then select Exploit protection.
Go to Program settings and choose the app you want to apply protection to:
If the app you want to configure is already listed, select it and then select Edit.
If the app isn't listed at the top of the list select Add program to customize. Then, choose how you want to add the app.
- Use Add by program name to have the mitigation applied to any running process with that name. Specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- Use Choose exact file path to use a standard Windows Explorer file picker window to find and select the file you want.
After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing Audit applies the mitigation in test mode only. You're notified if you need to restart the process, app, or Windows.
Repeat this procedure for all the apps and mitigations you want to configure. Select Apply when you're done setting up your configuration.
PowerShell
To set app-level mitigations to test mode, use Set-ProcessMitigation with the Audit mode cmdlet.
Configure each mitigation in the following format:
Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,<mitigation or options>
Where:
- <Scope>:
-Nameto indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
- <Action>:
-Enableto enable the mitigation-Disableto disable the mitigation
- <Mitigation>:
- The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma.
| Mitigation | Test mode cmdlet |
|---|---|
| Arbitrary Code Guard (ACG) | AuditDynamicCode |
| Block low integrity images | AuditImageLoad |
| Block untrusted fonts | AuditFont, FontAuditOnly |
| Code integrity guard | AuditMicrosoftSigned, AuditStoreSigned |
| Disable Win32k system calls | AuditSystemCall |
| Don't allow child processes | AuditChildProcess |
For example, to enable Arbitrary Code Guard (ACG) in test mode for an app named testing.exe, run the following command:
Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
You can disable audit mode by replacing -Enable with -Disable.
Review exploit protection audit events
To review which apps would be blocked, open Event Viewer and filter for the following events in the Security-Mitigations log.
| Feature | Provider/source | Event ID | Description |
|---|---|---|---|
| Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit |
| Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit |
| Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit |
| Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit |
| Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit |
| Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit |
See also
- Enable exploit protection
- Configure and audit exploit protection mitigations
- Import, export, and deploy exploit protection configurations
- Troubleshoot exploit protection
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.