Felsöka åtgärder för sårbarhetsskydd

Gäller för:

• Microsoft Defender för Endpoint Abonnemang 1
• Microsoft Defender för Endpoint Abonnemang 2
• Microsoft Defender XDR

Vill du uppleva Microsoft Defender för Endpoint? Registrera dig för en kostnadsfri utvärderingsversion.

När du skapar en uppsättning sårbarhetsskyddsreduceringar (kallas en konfiguration) kan det hända att konfigurationsexporten och importprocessen inte tar bort alla oönskade åtgärder.

Du kan ta bort oönskade åtgärder manuellt i Windows-säkerhet, eller så kan du använda följande process för att ta bort alla åtgärder och sedan importera en baslinjekonfigurationsfil i stället.

1. Ta bort alla processreduceringar med det här PowerShell-skriptet:

   # Check if Admin-Privileges are available
   function Test-IsAdmin {
       ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
   }
   
   # Delete ExploitGuard ProcessMitigations for a given key in the registry. If no other settings exist under the specified key,
   # the key is deleted as well
   function Remove-ProcessMitigations([Object] $Key, [string] $Name) {
       Try {
           if ($Key.GetValue("MitigationOptions")) {
               Write-Host "Removing MitigationOptions for:      " $Name
               Remove-ItemProperty -Path $Key.PSPath -Name "MitigationOptions" -ErrorAction Stop;
           }
           if ($Key.GetValue("MitigationAuditOptions")) {
               Write-Host "Removing MitigationAuditOptions for: " $Name
               Remove-ItemProperty -Path $Key.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop;
           }
           if ($Key.GetValue("EAFModules")) {
               Write-Host "Removing EAFModules for: " $Name
               Remove-ItemProperty -Path $Key.PSPath -Name "EAFModules" -ErrorAction Stop;
           }
   
           # Remove the FilterFullPath value if there is nothing else
           if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 1) -and ($Key.GetValue("FilterFullPath"))) {
               Remove-ItemProperty -Path $Key.PSPath -Name "FilterFullPath" -ErrorAction Stop;
           }
   
           # If the key is empty now, delete it
           if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 0)) {
               Write-Host "Removing empty Entry:                " $Name
               Remove-Item -Path $Key.PSPath -ErrorAction Stop
           }
       }
       Catch {
           Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)"
       }
   }
   
   # Delete all ExploitGuard ProcessMitigations
   function Remove-All-ProcessMitigations {
       if (!(Test-IsAdmin)) {
           throw "ERROR: No Administrator-Privileges detected!"; return
       }
   
       Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | ForEach-Object {
           $MitigationItem = $_;
           $MitigationItemName = $MitigationItem.PSChildName
   
           Try {
               Remove-ProcessMitigations $MitigationItem $MitigationItemName
   
               # "UseFilter" indicate full path filters may be present
               if ($MitigationItem.GetValue("UseFilter")) {
                   Get-ChildItem -Path $MitigationItem.PSPath | ForEach-Object {
                       $FullPathItem = $_
                       if ($FullPathItem.GetValue("FilterFullPath")) {
                           $Name = $MitigationItemName + "-" + $FullPathItem.GetValue("FilterFullPath")
                           Write-Host "Removing FullPathEntry:              " $Name
                           Remove-ProcessMitigations $FullPathItem $Name
                       }
   
                       # If there are no subkeys now, we can delete the "UseFilter" value
                       if ($MitigationItem.SubKeyCount -eq 0) {
                           Remove-ItemProperty -Path $MitigationItem.PSPath -Name "UseFilter" -ErrorAction Stop
                       }
                   }
               }
               if (($MitigationItem.SubKeyCount -eq 0) -and ($MitigationItem.ValueCount -eq 0)) {
                   Write-Host "Removing empty Entry:                " $MitigationItemName
                   Remove-Item -Path $MitigationItem.PSPath -ErrorAction Stop
               }
           }
           Catch {
               Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)"
           }
       }
   }
   
   # Delete all ExploitGuard System-wide Mitigations
   function Remove-All-SystemMitigations {
   
       if (!(Test-IsAdmin)) {
           throw "ERROR: No Administrator-Privileges detected!"; return
       }
   
       $Kernel = Get-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel"
   
       Try {
           if ($Kernel.GetValue("MitigationOptions"))
               { Write-Host "Removing System MitigationOptions"
                   Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationOptions" -ErrorAction Stop;
               }
           if ($Kernel.GetValue("MitigationAuditOptions"))
               { Write-Host "Removing System MitigationAuditOptions"
                   Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop;
               }
       } Catch {
           Write-Host "ERROR:" $_.Exception.Message "- System"
       }
   }
   
   Remove-All-ProcessMitigations
   Remove-All-SystemMitigations
   

2. Skapa och importera en XML-konfigurationsfil med följande standardåtgärder, enligt beskrivningen i Importera, exportera och distribuera Exploit Protection-konfigurationer:

    <?xml version="1.0" encoding="UTF-8"?>
    <root>
       <SystemConfig/>
       <AppConfig Executable="ExtExport.exe">
          <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
       </AppConfig>
       <AppConfig Executable="ie4uinit.exe">
         <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
       </AppConfig>
       <AppConfig Executable="ieinstal.exe">
      <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
       </AppConfig>
       <AppConfig Executable="ielowutil.exe">
         <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
       </AppConfig>
      <AppConfig Executable="ieUnatt.exe">
         <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
       </AppConfig>
      <AppConfig Executable="iexplore.exe">
         <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
       </AppConfig>
      <AppConfig Executable="mscorsvw.exe">
          <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/>
       </AppConfig>
       <AppConfig Executable="msfeedssync.exe">
          <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
       </AppConfig>
       <AppConfig Executable="mshta.exe">
          <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
       </AppConfig>
       <AppConfig Executable="ngen.exe">
          <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/>
       </AppConfig>
       <AppConfig Executable="ngentask.exe">
          <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/>
       </AppConfig>
       <AppConfig Executable="PresentationHost.exe">
          <DEP Enable="true" OverrideDEP="false" EmulateAtlThunks="false"/>
          <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true" OverrideBottomUp="false" HighEntropy="true" BottomUp="true"/>
          <SEHOP Enable="true" OverrideSEHOP="false" TelemetryOnly="false"/>
          <Heap OverrideHeap="false" TerminateOnError="true"/>
       </AppConfig>
       <AppConfig Executable="PrintDialog.exe">
          <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/>
       </AppConfig>
       <AppConfig Executable="PrintIsolationHost.exe"/>
       <AppConfig Executable="runtimebroker.exe">
          <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/>
       </AppConfig>
           <AppConfig Executable="splwow64.exe"/>
       <AppConfig Executable="spoolsv.exe"/>
       <AppConfig Executable="svchost.exe"/>
       <AppConfig Executable="SystemSettings.exe">
          <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/>
       </AppConfig>
   </root>
   

Om du inte redan har gjort det är det en bra idé att ladda ned och använda Windows-säkerhet-baslinjer för att slutföra anpassningen av sårbarhetsskydd.

Relaterade ämnen

• Skydda enheter från exploateringar
• Utvärdera sårbarhetsskydd
• Aktivera exploateringsskydd
• Konfigurera och granska riskreduceringar för exploateringsskydd
• Konfigurationer för att import, export och distribuering av exploateringsskydd

Tips

Vill du veta mer? Engage med Microsofts säkerhetscommunity i vår Tech Community: Microsoft Defender för Endpoint Tech Community.