Protect devices from exploits

Applies to:

Exploit protection automatically applies many exploit mitigation techniques to operating system processes and apps. Exploit protection is supported beginning with Windows 10, version 1709, Windows 11, and Windows Server, version 1803.

Exploit protection works best with Defender for Endpoint - which gives you detailed reporting into exploit protection events and blocks as part of the usual alert investigation scenarios.

You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices at once.

When a mitigation is found on the device, a notification is displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.

You can also use audit mode to evaluate how exploit protection would affect your organization if it were enabled.

Many of the features in the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. In fact, you can convert and import existing your EMET configuration profiles into exploit protection. To learn more, see Import, export, and deploy exploit protection configurations.

Important

If you are currently using EMET you should be aware that EMET reached end of support on July 31, 2018. Consider replacing EMET with exploit protection in Windows 10.

Warning

Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using audit mode before deploying the configuration across a production environment or the rest of your network.

Review exploit protection events in the Microsoft Defender portal

Defender for Endpoint provides detailed reporting into events and blocks as part of its alert investigation scenarios.

You can query Defender for Endpoint data by using Advanced hunting. If you're using audit mode, you can use advanced hunting to see how exploit protection settings could affect your environment.

Here's an example query:

DeviceEvents
| where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection'

Exploit Protection and advanced hunting

Below are the advanced hunting actiontypes available for Exploit Protection.

Exploit Protection mitigation name Exploit Protection - Advanced Hunting - ActionTypes
Arbitrary code guard ExploitGuardAcgAudited
ExploitGuardAcgEnforced
Don't allow child processes ExploitGuardChildProcessAudited
ExploitGuardChildProcessBlocked
Export address filtering (EAF) ExploitGuardEafViolationAudited
ExploitGuardEafViolationBlocked
Import address filtering (IAF) ExploitGuardIafViolationAudited
ExploitGuardIafViolationBlocked
Block low integrity images ExploitGuardLowIntegrityImageAudited
ExploitGuardLowIntegrityImageBlocked
Code integrity guard ExploitGuardNonMicrosoftSignedAudited
ExploitGuardNonMicrosoftSignedBlocked
• Simulate execution (SimExec)
• Validate API invocation (CallerCheck)
• Validate stack integrity (StackPivot)
ExploitGuardRopExploitAudited
ExploitGuardRopExploitBlocked
Block remote images ExploitGuardSharedBinaryAudited
ExploitGuardSharedBinaryBlocked
Disable Win32k system calls ExploitGuardWin32SystemCallAudited
ExploitGuardWin32SystemCallBlocked

Review exploit protection events in Windows Event Viewer

You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app:

Provider/source Event ID Description
Security-Mitigations 1 ACG audit
Security-Mitigations 2 ACG enforce
Security-Mitigations 3 Don't allow child processes audit
Security-Mitigations 4 Don't allow child processes block
Security-Mitigations 5 Block low integrity images audit
Security-Mitigations 6 Block low integrity images block
Security-Mitigations 7 Block remote images audit
Security-Mitigations 8 Block remote images block
Security-Mitigations 9 Disable win32k system calls audit
Security-Mitigations 10 Disable win32k system calls block
Security-Mitigations 11 Code integrity guard audit
Security-Mitigations 12 Code integrity guard block
Security-Mitigations 13 EAF audit
Security-Mitigations 14 EAF enforce
Security-Mitigations 15 EAF+ audit
Security-Mitigations 16 EAF+ enforce
Security-Mitigations 17 IAF audit
Security-Mitigations 18 IAF enforce
Security-Mitigations 19 ROP StackPivot audit
Security-Mitigations 20 ROP StackPivot enforce
Security-Mitigations 21 ROP CallerCheck audit
Security-Mitigations 22 ROP CallerCheck enforce
Security-Mitigations 23 ROP SimExec audit
Security-Mitigations 24 ROP SimExec enforce
WER-Diagnostics 5 CFG Block
Win32K 260 Untrusted Font

Mitigation comparison

The mitigations available in EMET are included natively in Windows 10 (starting with version 1709), Windows 11, and Windows Server (starting with version 1803), under Exploit protection.

The table in this section indicates the availability and support of native mitigations between EMET and exploit protection.

Mitigation Available under exploit protection Available in EMET
Arbitrary code guard (ACG) Yes Yes
As "Memory Protection Check"
Block remote images Yes Yes
As "Load Library Check"
Block untrusted fonts Yes Yes
Data Execution Prevention (DEP) Yes Yes
Export address filtering (EAF) Yes Yes
Force randomization for images (Mandatory ASLR) Yes Yes
NullPage Security Mitigation Yes
Included natively in Windows 10 and Windows 11
For more information, see Mitigate threats by using Windows 10 security features
Yes
Randomize memory allocations (Bottom-Up ASLR) Yes Yes
Simulate execution (SimExec) Yes Yes
Validate API invocation (CallerCheck) Yes Yes
Validate exception chains (SEHOP) Yes Yes
Validate stack integrity (StackPivot) Yes Yes
Certificate trust (configurable certificate pinning) Windows 10 and Windows 11 provide enterprise certificate pinning Yes
Heap spray allocation Ineffective against newer browser-based exploits; newer mitigations provide better protection
For more information, see Mitigate threats by using Windows 10 security features
Yes
Block low integrity images Yes No
Code integrity guard Yes No
Disable extension points Yes No
Disable Win32k system calls Yes No
Don't allow child processes Yes No
Import address filtering (IAF) Yes No
Validate handle usage Yes No
Validate heap integrity Yes No
Validate image dependency integrity Yes No

Note

The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10 and Windows 11, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process. For more information on how Windows 10 employs existing EMET technology, see the Mitigation threats by using Windows 10 security features.

See also

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.