Configure Windows Defender Exploit protection in Windows 10

Martin Brinkmann
Oct 25, 2017
Windows, Windows 10
|
10

Exploit protection is a new security feature of Windows Defender that Microsoft introduced in the operating system's Fall Creators Update.

Exploit Guard is a set of features that includes exploit protection, attack surface reduction, network protection, and controlled folder access.

Exploit protection can best be described as an integrated version of Microsoft's EMET -- Exploit Mitigation Experience Toolkit -- security tool which the company will retire in mid 2018.

Microsoft claimed previously that the company's Windows 10 operating system would make running EMET alongside Windows unnecessary; at least one researcher refuted Microsoft's claim however.

Windows Defender Exploit protection

Exploit protection is enabled by default if Windows Defender is enabled. The feature is the only Exploit Guard feature that does not require that real-time protection is enabled in Windows Defender.

The feature can be configured in the Windows Defender Security Center application, via PowerShell commands, or as policies.

Configuration in the Windows Defender Security Center app

exploit protection windows defender

You may configure exploit protection in the Windows Defender Security Center application.

  1. Use Windows-I to open the Settings application.
  2. Navigate to Update & Security > Windows Defender.
  3. Select Open Windows Defender Security Center.
  4. Select App & browser control listed as a sidebar link in the new window that opens.
  5. Locate the exploit protection entry on the page, and click on exploit protection settings.

The settings are divided into System Settings and Program Settings.

System settings list the available protection mechanisms and their status. The following are available in the Windows 10 Fall Creators Update:

  • Control Flow Guard (CFG) -- on by default.
  • Data Execution Prevention (DEP) -- on by default.
  • Force randomization for images (Mandatory ASLR) -- off by default.
  • Randomize memory allocations (Bottom-up ASLR) --on by default.
  • Validate exception chains (SEHOP) -- on by default.
  • Validate heap integrity -- on by default.

You can change the status of any option to "on by default", "off by default", or "use default".

Program settings give you options to customize the protection for individual programs and applications. This works similarly to how you could add exceptions in Microsoft EMET for particular programs; good if a program misbehaves when certain protective modules are enabled.

Quite a few programs have exceptions by default. This includes svchost.exe, spools.exe, runtimebroker.exe, iexplore.exe and other core Windows programs. Note that you can override these exceptions by selecting the files and clicking on edit.

program settings exploit protection

Click on "add program to customize" to add a program by name or exact file path to the list of exceptions.

You may set the status of all supported protections individually for each program that you have added under program settings. Besides overriding the system default, and forcing it to one or off, there is also an option to set it to "audit only". The latter records events that would have fired if the protection's status would have been on, but will record only the event to the Windows events log.

Program Settings list additional protection options that you cannot configure under system settings because they are configured to run on the application level only.

These are:

  • Arbitrary code guard (ACG)
  • Blow low integrity images
  • Block remote images
  • Block untrusted fonts
  • Code integrity guard
  • Disable extension points
  • Disable Win32 system calls
  • Do not allow child processes
  • Export address filtering (EAF)
  • Import address filtering (IAF)
  • Simulate execution (SimExec)
  • Validate API invocation (CallerCheck)
  • Validate handle usage
  • Validate image dependency integration
  • Validate stack integrity (StackPivot)

Configuring exploit protection using PowerShell

You may use PowerShell to set, remove or list mitigations. The following commands are available:

To list all mitigations of the specified process: Get-ProcessMitigation -Name processName.exe

To set mitigations: Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,<mitigation or options>

  • Scope: is either -System or -Name <application name>.
  • Action: is either -Enable or -Disable.
  • Mitigation: the name of the Mitigation. Consult the following table. You may separate mitigations by comma.

Examples:

  • Set-Processmitigation -System -Enable DEP
  • Set-Processmitigation -Name test.exe -Remove -Disable DEP
  • Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
Mitigation Applies to PowerShell cmdlets Audit mode cmdlet
Control flow guard (CFG) System and app-level CFG, StrictCFG, SuppressExports Audit not available
Data Execution Prevention (DEP) System and app-level DEP, EmulateAtlThunks Audit not available
Force randomization for images (Mandatory ASLR) System and app-level ForceRelocate Audit not available
Randomize memory allocations (Bottom-Up ASLR) System and app-level BottomUp, HighEntropy Audit not available
Validate exception chains (SEHOP) System and app-level SEHOP, SEHOPTelemetry Audit not available
Validate heap integrity System and app-level TerminateOnHeapError Audit not available
Arbitrary code guard (ACG) App-level only DynamicCode AuditDynamicCode
Block low integrity images App-level only BlockLowLabel AuditImageLoad
Block remote images App-level only BlockRemoteImages Audit not available
Block untrusted fonts App-level only DisableNonSystemFonts AuditFont, FontAuditOnly
Code integrity guard App-level only BlockNonMicrosoftSigned, AllowStoreSigned AuditMicrosoftSigned, AuditStoreSigned
Disable extension points App-level only ExtensionPoint Audit not available
Disable Win32k system calls App-level only DisableWin32kSystemCalls AuditSystemCall
Do not allow child processes App-level only DisallowChildProcessCreation AuditChildProcess
Export address filtering (EAF) App-level only EnableExportAddressFilterPlus, EnableExportAddressFilter [1] Audit not available
Import address filtering (IAF) App-level only EnableImportAddressFilter Audit not available
Simulate execution (SimExec) App-level only EnableRopSimExec Audit not available
Validate API invocation (CallerCheck) App-level only EnableRopCallerCheck Audit not available
Validate handle usage App-level only StrictHandle Audit not available
Validate image dependency integrity App-level only EnforceModuleDepencySigning Audit not available
Validate stack integrity (StackPivot) App-level only EnableRopStackPivot Audit not available

Importing and exporting configurations

Configurations can be imported and exported. You can do so using the Windows Defender exploit protection settings in the Windows Defender Security Center, by using PowerShell, by using policies.

EMET configurations can furthermore be converted so that they can be imported.

Using the Exploit protection settings

You can export configurations in the settings application, but not import them. Exporting adds all system level and app level mitigations.

Just click on the "export settings" link under exploit protection to do so.

Using PowerShell to export a configuration file

  1. Open an elevated Powershell prompt.
  2. Get-ProcessMitigation -RegistryConfigFilePath filename.xml

Edit filename.xml so that it reflects the save location and filename.

Using PowerShell to import a configuration file

  1. Open an elevated Powershell prompt.
  2. Run the following command: Set-ProcessMitigation -PolicyFilePath filename.xml

Edit filename.xml so that it points to the location and file name of the configuration XML file.

 

Using Group Policy to install a configuration file

use common set exploit protection

You can install configuration files using policies.

  1. Tap on the Windows-key, type gpedit.msc, and hit the Enter-key to start the Group Policy Editor.
  2. Navigate to Computer configuration > Administrative templates > Windows components > Windows Defender Exploit Guard > Exploit protection.
  3. Double-click on "Use a command set of exploit protection settings".
  4. Set the policy to enabled.
  5. Add the path and filename of the configuration XML file in the options field.

Converting an EMET file

  1. Open an elevated PowerShell prompt as described above.
  2. Run the command ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml

Change emetFile.xml to the path and location of the EMET configuration file.

Change filename.xml to the path and location that you want the converted configuration file to be saved to.

Resources

Summary
Configure Windows Defender Exploit protection in Windows 10
Article Name
Configure Windows Defender Exploit protection in Windows 10
Description
Exploit protection is a new security feature of Windows Defender that Microsoft introduced in the operating system's Fall Creators Update.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. David Johnson said on July 29, 2022 at 5:10 pm
    Reply

    Computer configuration > Administrative templates > Windows components > Windows Defender Exploit Guard > Exploit protection does not exist in my Windows Server 2019 GPO, but the STIG Compliance checks are calling for it to be set (xml policy to be imported).

    How can I get the Exploit Protection key to appear in GPO?

  2. Tuba said on November 1, 2017 at 6:30 pm
    Reply

    Exploit Protection is a part of the Exploit Guard feature in Windows Defender. Here is A simple vbs scrip to export and import Windows Defender ‘s new security protection feature Exploit Protection. For the english version of the script please use “en” folder http://www.ceofix.com/download/download.php?file=exploit.zip

  3. indy said on October 27, 2017 at 6:22 pm
    Reply

    I have followed the direction for reviewing and setting the controls for WINDOWS EXPLOIT TOOL. However, under version 1703, this tool does not exist under the WINDOWS DEFENDER SECURITY CENTER.

    1. microfix said on October 31, 2017 at 6:13 pm
      Reply

      Only applicable to v1709 W10 Fall Creators Update at the top of the article.

  4. mecanicogolf said on October 27, 2017 at 2:22 pm
    Reply

    Good artucle

  5. IPonymous said on October 25, 2017 at 8:28 pm
    Reply

    Is there a way to get this for windows 8.1 and 7? …since EMET support is ending.

  6. Sampei Nihira said on October 25, 2017 at 3:52 pm
    Reply

    My Chrome settings:

    https://sendvid.com/vrqzvd5f

  7. KeZa said on October 25, 2017 at 1:19 pm
    Reply

    I’m here on Xp and no problems at all. Windows is becoming to complicated and things must be different. They can play games these days in the cloud and I think the future of OS will also be in the cloud because it is not fun anymore. I’m here at Xp for 15years now and I find regularly new stuff and this whole again with W10? I do not think so. I and the must of us have other things to do and the pc must serve us and not the way around and people are sick if this complicated BS and the whole BS to maintain it. This is not the future and Micro has it correct unconsciously that W10 will be the last OS. We need to go another way around and there needs to be a cleanup of the internet. Maybe all gone and a new internet because it is also BS and then the provider needs to have a super hardware firewall and the OS is in the cloud. They can do it with games where people have not the pc power for playing it but with the cloud they can play it beautifully with the superhardware where the cloud with the game is in and that they can do also with the OS and it will be. Maybe over 10 years but it will come because it’s getting ridiculous complicated and if we see how many of us spend time behind the pc over a year to maintain it or to solve problems… this is not sanity but insanity and let them know to stop making this garbage software and why we must buy every time new hardware for it? This can be better made and it will be and we need no more then a little box with a fast internet connection, mouse and keyboard and maybe a 4K screen (+8k is also BS because where will it stop? We we have enough of it?) and this in a cloud with a VM-OS or so and no tweaking or maintaining it at all. Only the moderator of Micro, Apple, …will maintain it in the cloud and everyone has the same without any thoughts to make for maintaining it of solving problems and in the cloud it has everything we need and why +10browsers, 100progs for the same thing? Stop with this BS and make 1 for 1 thing only and not 10-100 for one thing. We must stop with this BS. People are sick of it and byby W10 and here come Linux but Linux is also not the way to go. The need to put it all together and make something durable without having customers to worry about one damn virtual I-0 thing. it’s is insane. Xp was good enough but no we want more BS and that comes with a price and the whole internet is full of tweaks, problems and so on. This is not the way to go and it will NOT last. KeZa out!

  8. John said on October 25, 2017 at 7:34 am
    Reply

    From reading the article, it appears that all but one of the entries are on by default. Its always nice to have extra protection, and since Windows has such large marketshare, one can probably safely assume almost all or all currently maintained programs will update themselves if they run afoul of any of these and provide a workable version with this new default setup for the OS.

    Windows has come a long way from the virus-palooza that was associated with the operating system through XP. Vista started hardening the OS security wise and they’ve continued to do more and do it better with each iteration of the operating system. There are certainly things to complain about with each new version if Windows- telemetry is a common one for Windows 10- but security keeps improving even amid other problems cropping up.

    It was pleasantly surprising to see that Windows had patched that big wifi vulnerability that affects all devices the week before news broke. By contrast, stock Android isn’t getting a patch until 11/6, and it could take months after that to filter through the manufacturers and carriers. Its a little odd that my 4-5 year old very lowend Windows PC has this update and my 1.5 year old highend Android phone doesn’t, but that the PC got it is a credit to Microsoft. Last I heard, Apple didn’t even have an ETA on a fix, putting it behind both Microsoft and Google. I am not sure where Linux stands (Or the major distros).

    *Anyway*, one question. The article says:

    “Force randomization for images (Mandatory ASLR) — off by default.”

    Any idea why that is off by default? What are the pros and cons of enabling it?

    1. dwadw said on November 14, 2017 at 10:34 pm
      Reply

      think that was also off by default back when emet was around

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.