Share via

Windows 10: Windows Defender Exploit Guard-Exploit Protection

Applies to:

Windows Server 2019

Windows 10 1809

Windows 10 1803

Windows 10 1709

Security Administrators, if you had not heard about Enhanced Mitigation Experience Toolkit (EMET), it was a preventive tool for 0 day attacks.

The replacement in Windows 10 1709 or later and Windows Server 2019 is called "Windows Defender Exploit Guard: Exploit Protection”.

A frequently asked question is, for Windows Defender Exploit Guard: Exploit Protection, do I need Windows Defender Antivirus (WD AV)?

The answer is no, you don’t need WD AV, but the other 3 components of Windows Defender Exploit Guard do require WD AV.

[What is Windows Defender Exploit Guard - Exploit Protection?]

    Moving Beyond EMET

    Moving Beyond EMET II – Windows Defender Exploit Guard

    Windows Defender Exploit Guard

[So why Windows Defender Exploit Guard: Exploit Protection?]

If you have been keeping up with Internet Explorer 0 day vulnerabilities that had come up maybe two times a year, security tools such as EMET had stopped these on their track.

"Exploit Protection" is here to do the same type of work.

Here are some nice blog posts that go over the details of the mitigations that Windows Defender Exploit Guard: Exploit Protection stops:
The Impact of Security Science in Protecting Customers

    Software Defense: mitigating heap corruption vulnerabilities

    Software Defense Series: Exploit mitigation and vulnerability detection

    Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP

    Preventing the exploitation of user mode heap corruption vulnerabilities

    Clarifying the behavior of mandatory ASLR

[Test / Deploy WD Exploit Guard: Exploit Protection]

Windows Defender Antivirus & Exploit Guard protection evaluation guide

TIP 1: Just like EMET, you want to add the exclusions to the mitigations that aren’t compatible with 3rd party application as described in:

2909257 EMET mitigations guidelines

TIP 2: Just like EMET, you are better off ‘turning off 1 or 2 or 3 mitigations’ for application compatibility reasons, rather than turning off all mitigations that Windows Defender Exploit Guard: Exploit Protection offers.

TIP 3: I would highly recommend you to set it to audit mode for 1 month or so, and see if there are compatibility warnings for your line of business applications.

List of ‘attack surface reduction’ events such as for WD EG EP:

Use “custom views” to review in “Event Viewer” to review WD EG EP:

XML for exploit protection events