Windows 10: Windows Defender Exploit Guard-Exploit Protection


Applies to:

Windows Server 2019

Windows 10 1809

Windows 10 1803

Windows 10 1709


Security Administrators, if you had not heard about Enhanced Mitigation Experience Toolkit (EMET), it was a preventive tool for 0 day attacks.

The replacement in Windows 10 1709 or later and Windows Server 2019 is called "Windows Defender Exploit Guard: Exploit Protection”.


A frequently asked question is, for Windows Defender Exploit Guard: Exploit Protection, do I need Windows Defender Antivirus (WD AV)?

The answer is no, you don’t need WD AV, but the other 3 components of Windows Defender Exploit Guard do require WD AV.



[What is Windows Defender Exploit Guard - Exploit Protection?]



    Moving Beyond EMET
    
https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/



    Moving Beyond EMET II – Windows Defender Exploit Guard
    
https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/


    Windows Defender Exploit Guard
    
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard



[So why Windows Defender Exploit Guard: Exploit Protection?]

If you have been keeping up with Internet Explorer 0 day vulnerabilities that had come up maybe two times a year, security tools such as EMET had stopped these on their track.

"Exploit Protection" is here to do the same type of work.


Here are some nice blog posts that go over the details of the mitigations that Windows Defender Exploit Guard: Exploit Protection stops:
     The Impact of Security Science in Protecting Customers
    
https://cloudblogs.microsoft.com/microsoftsecure/2013/07/25/the-impact-of-security-science-in-protecting-customers/


    Software Defense: mitigating heap corruption vulnerabilities
    
https://blogs.technet.microsoft.com/srd/2013/10/29/software-defense-mitigating-heap-corruption-vulnerabilities/


    Software Defense Series: Exploit mitigation and vulnerability detection
    
https://blogs.technet.microsoft.com/srd/2013/09/27/software-defense-series-exploit-mitigation-and-vulnerability-detection/


    Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP
    
https://blogs.technet.microsoft.com/srd/2009/02/02/preventing-the-exploitation-of-structured-exception-handler-seh-overwrites-with-sehop/


    Preventing the exploitation of user mode heap corruption vulnerabilities
    
https://blogs.technet.microsoft.com/srd/2009/08/04/preventing-the-exploitation-of-user-mode-heap-corruption-vulnerabilities/


    Clarifying the behavior of mandatory ASLR
     https://blogs.technet.microsoft.com/srd/2017/11/21/clarifying-the-behavior-of-mandatory-aslr/


[Test / Deploy WD Exploit Guard:  Exploit Protection]

Windows Defender Antivirus & Exploit Guard protection evaluation guide

https://www.microsoft.com/en-us/download/details.aspx?id=54795

TIP 1:  Just like EMET, you want to add the exclusions to the mitigations that aren’t compatible with 3rd party application as described in:

2909257 EMET mitigations guidelines

https://support.microsoft.com/?id=2909257


TIP 2:  Just like EMET, you are better off ‘turning off 1 or 2 or 3 mitigations’ for application compatibility reasons, rather than turning off all mitigations that Windows Defender Exploit Guard:  Exploit Protection offers.


TIP 3:  I would highly recommend you to set it to audit mode for 1 month or so, and see if there are compatibility warnings for your line of business applications.


List of ‘attack surface reduction’ events such as for WD EG EP:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard#list-of-attack-surface-reduction-events


Use “custom views” to review in “Event Viewer” to review WD EG EP:

XML for exploit protection events

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard#xml-for-exploit-protection-events


Thanks,

Yong


Comments (0)

Skip to main content