疑難排解惡意探索防護風險降低措施

發行項
04/26/2024

適用於：

想要體驗適用於端點的 Microsoft Defender 嗎? 注册免費試用版。

當您建立一組稱為組態) 的惡意探索保護防護 (時，您可能會發現設定匯出和匯入程式不會移除所有不必要的風險降低。

您可以在 Windows 安全性中手動移除不必要的防護功能，也可以使用下列程式來移除所有防護功能，然後改為匯入基準組態檔。

使用此 PowerShell 命令稿移除所有程式防護功能：

# Check if Admin-Privileges are available
function Test-IsAdmin {
    ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
}

# Delete ExploitGuard ProcessMitigations for a given key in the registry. If no other settings exist under the specified key,
# the key is deleted as well
function Remove-ProcessMitigations([Object] $Key, [string] $Name) {
    Try {
        if ($Key.GetValue("MitigationOptions")) {
            Write-Host "Removing MitigationOptions for:      " $Name
            Remove-ItemProperty -Path $Key.PSPath -Name "MitigationOptions" -ErrorAction Stop;
        }
        if ($Key.GetValue("MitigationAuditOptions")) {
            Write-Host "Removing MitigationAuditOptions for: " $Name
            Remove-ItemProperty -Path $Key.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop;
        }
        if ($Key.GetValue("EAFModules")) {
            Write-Host "Removing EAFModules for: " $Name
            Remove-ItemProperty -Path $Key.PSPath -Name "EAFModules" -ErrorAction Stop;
        }

        # Remove the FilterFullPath value if there is nothing else
        if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 1) -and ($Key.GetValue("FilterFullPath"))) {
            Remove-ItemProperty -Path $Key.PSPath -Name "FilterFullPath" -ErrorAction Stop;
        }

        # If the key is empty now, delete it
        if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 0)) {
            Write-Host "Removing empty Entry:                " $Name
            Remove-Item -Path $Key.PSPath -ErrorAction Stop
        }
    }
    Catch {
        Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)"
    }
}

# Delete all ExploitGuard ProcessMitigations
function Remove-All-ProcessMitigations {
    if (!(Test-IsAdmin)) {
        throw "ERROR: No Administrator-Privileges detected!"; return
    }

    Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | ForEach-Object {
        $MitigationItem = $_;
        $MitigationItemName = $MitigationItem.PSChildName

        Try {
            Remove-ProcessMitigations $MitigationItem $MitigationItemName

            # "UseFilter" indicate full path filters may be present
            if ($MitigationItem.GetValue("UseFilter")) {
                Get-ChildItem -Path $MitigationItem.PSPath | ForEach-Object {
                    $FullPathItem = $_
                    if ($FullPathItem.GetValue("FilterFullPath")) {
                        $Name = $MitigationItemName + "-" + $FullPathItem.GetValue("FilterFullPath")
                        Write-Host "Removing FullPathEntry:              " $Name
                        Remove-ProcessMitigations $FullPathItem $Name
                    }

                    # If there are no subkeys now, we can delete the "UseFilter" value
                    if ($MitigationItem.SubKeyCount -eq 0) {
                        Remove-ItemProperty -Path $MitigationItem.PSPath -Name "UseFilter" -ErrorAction Stop
                    }
                }
            }
            if (($MitigationItem.SubKeyCount -eq 0) -and ($MitigationItem.ValueCount -eq 0)) {
                Write-Host "Removing empty Entry:                " $MitigationItemName
                Remove-Item -Path $MitigationItem.PSPath -ErrorAction Stop
            }
        }
        Catch {
            Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)"
        }
    }
}

# Delete all ExploitGuard System-wide Mitigations
function Remove-All-SystemMitigations {

    if (!(Test-IsAdmin)) {
        throw "ERROR: No Administrator-Privileges detected!"; return
    }

    $Kernel = Get-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel"

    Try {
        if ($Kernel.GetValue("MitigationOptions"))
            { Write-Host "Removing System MitigationOptions"
                Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationOptions" -ErrorAction Stop;
            }
        if ($Kernel.GetValue("MitigationAuditOptions"))
            { Write-Host "Removing System MitigationAuditOptions"
                Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop;
            }
    } Catch {
        Write-Host "ERROR:" $_.Exception.Message "- System"
    }
}

Remove-All-ProcessMitigations
Remove-All-SystemMitigations

Create 並匯入具有下列預設防護功能的 XML 組態檔，如匯入、匯出和部署惡意探索保護組態中所述：

 <?xml version="1.0" encoding="UTF-8"?>
 <root>
    <SystemConfig/>
    <AppConfig Executable="ExtExport.exe">
       <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
    </AppConfig>
    <AppConfig Executable="ie4uinit.exe">
      <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
    </AppConfig>
    <AppConfig Executable="ieinstal.exe">
   <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
    </AppConfig>
    <AppConfig Executable="ielowutil.exe">
      <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
    </AppConfig>
   <AppConfig Executable="ieUnatt.exe">
      <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
    </AppConfig>
   <AppConfig Executable="iexplore.exe">
      <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
    </AppConfig>
   <AppConfig Executable="mscorsvw.exe">
       <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/>
    </AppConfig>
    <AppConfig Executable="msfeedssync.exe">
       <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
    </AppConfig>
    <AppConfig Executable="mshta.exe">
       <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
    </AppConfig>
    <AppConfig Executable="ngen.exe">
       <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/>
    </AppConfig>
    <AppConfig Executable="ngentask.exe">
       <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/>
    </AppConfig>
    <AppConfig Executable="PresentationHost.exe">
       <DEP Enable="true" OverrideDEP="false" EmulateAtlThunks="false"/>
       <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true" OverrideBottomUp="false" HighEntropy="true" BottomUp="true"/>
       <SEHOP Enable="true" OverrideSEHOP="false" TelemetryOnly="false"/>
       <Heap OverrideHeap="false" TerminateOnError="true"/>
    </AppConfig>
    <AppConfig Executable="PrintDialog.exe">
       <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/>
    </AppConfig>
    <AppConfig Executable="PrintIsolationHost.exe"/>
    <AppConfig Executable="runtimebroker.exe">
       <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/>
    </AppConfig>
        <AppConfig Executable="splwow64.exe"/>
    <AppConfig Executable="spoolsv.exe"/>
    <AppConfig Executable="svchost.exe"/>
    <AppConfig Executable="SystemSettings.exe">
       <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/>
    </AppConfig>
</root>

如果您還沒有這麼做，建議您下載並使用 Windows 安全性基準來完成惡意探索保護自定義。

提示

想要深入了解? Engage 技術社群中的 Microsoft 安全性社群：適用於端點的 Microsoft Defender 技術社群。

共用方式為

疑難排解惡意探索防護風險降低措施

意見反應

其他資源

共用方式為

疑難排解惡意探索防護風險降低措施

相關主題

意見反應

其他資源