Examine Windows Defender Exploit Guard
Microsoft Defender Exploit Guard (formerly Windows Defender Exploit Guard) is a new set of host intrusion prevention capabilities for Windows, allowing you to manage and reduce the attack surface of apps used by your employees.
Microsoft Defender Exploit Guard features
There are four features in Microsoft Defender Exploit Guard:
Exploit protection. Applies exploit mitigation techniques to apps your organization uses, both individually and to all apps. Works with third-party antivirus solutions and Microsoft Defender Antivirus (Microsoft Defender AV). To enable Exploit Protection, open the Windows Security app and go to App & Browser Control. Scroll down to Exploit Protection Settings and click Exploit Protection Settings. You can then enable the feature and configure the settings. You can also use Group Policy to enable Exploit Protection. To do this, go to Computer Configuration in the Group Policy Management Editor, then Policies, then Administrative Templates. Expand the Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Exploit Protection. Select the Enable exploit protection setting and set the option to Enabled. You can then configure the settings for the feature.
Attack surface reduction rules. Reduces the attack surface of your applications with intelligent rules that stop the vectors used by Office, script and mail-based malware. It requires Microsoft Defender AV. To enable this, you can use group policy, registry keys, or mobile device management. To enable attack surface reduction by using Group Policy, go to Computer Configuration in the Group Policy Management Editor, then Policies, then Administrative Templates. Expand the Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack surface reduction. Select the Configure Attack surface reduction rules setting and set the option to Enabled.
Network protection. Extends the malware and social engineering protection offered by Microsoft Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization's devices. It requires Microsoft Defender AV. You can enable this feature by using Group Policy. You should navigate to Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Network Protection. Select the Prevent Users and Apps from Accessing Dangerous Websites setting and set the option to Enabled.
Controlled folder access. Protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware. It can also block disk sectors as well. It requires Microsoft Defender AV to work. To enable controlled folder access by using Group Policy, you should navigate to Computer Configuration, expand Policies, then Administrative Templates, and then expand to Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled folder access. Select the Configure Controlled Folder Access setting and set the option to Enabled.
By default, the following folders are enabled for protection:
- C:\Users\< user >\Documents
- C:\Users\Public\Documents
- C:\Users\< user >\Pictures
- C:\Users\Public\Pictures
- C:\Users\< user >\Videos
- C:\Users\Public\Videos
- C:\Users\< user >\Music
- C:\Users\Public\Music
- C:\Users\< user >\Desktop
- C:\Users\Public\Desktop
- C:\Users\< user >\Favorites
You can manually add more folders to this list, if you need. If you have an application that is blocked by Controlled Folder Access, you can allow an application. To allow an override, you should navigate to the same Group Policy path and then select the Configure Allowed Applications setting, and set the option to Enabled. Select Show and enter each app.
Similar to other features of Microsoft Defender, you can also use Intune to deploy and manage functionalities of Exploit Guard. You can configure these settings in device configuration profile. It's possible to separately configure options for each of the functionalities described earlier.
Additional capabilities
- You can enable audit mode for the features, which provides you with basic event logs that indicate how the feature would have responded if it had been fully enabled. This can be useful when evaluating the impact of Microsoft Defender EG and to help determine the impact of the features on your network's security.
- You can also visit the Microsoft Defender Testground website at https://demo.wd.microsoft.com to confirm the features are working and test how each of them works.
- You can manage and report on Microsoft Defender EG in the Windows Security app as part of the Microsoft Defender for Endpoint suite of threat mitigation, preventing, protection, and analysis technologies.
- You can use the Windows Security app to obtain detailed reporting into events and blocks as part of the usual alert investigation scenarios.