Configure Windows Defender Exploit protection in Windows 10
Exploit protection is a new security feature of Windows Defender that Microsoft introduced in the operating system's Fall Creators Update.
Exploit Guard is a set of features that includes exploit protection, attack surface reduction, network protection, and controlled folder access.
Exploit protection can best be described as an integrated version of Microsoft's EMET -- Exploit Mitigation Experience Toolkit -- security tool which the company will retire in mid 2018.
Microsoft claimed previously that the company's Windows 10 operating system would make running EMET alongside Windows unnecessary; at least one researcher refuted Microsoft's claim however.
Windows Defender Exploit protection
Exploit protection is enabled by default if Windows Defender is enabled. The feature is the only Exploit Guard feature that does not require that real-time protection is enabled in Windows Defender.
The feature can be configured in the Windows Defender Security Center application, via PowerShell commands, or as policies.
Configuration in the Windows Defender Security Center app
You may configure exploit protection in the Windows Defender Security Center application.
- Use Windows-I to open the Settings application.
- Navigate to Update & Security > Windows Defender.
- Select Open Windows Defender Security Center.
- Select App & browser control listed as a sidebar link in the new window that opens.
- Locate the exploit protection entry on the page, and click on exploit protection settings.
The settings are divided into System Settings and Program Settings.
System settings list the available protection mechanisms and their status. The following are available in the Windows 10 Fall Creators Update:
- Control Flow Guard (CFG) -- on by default.
- Data Execution Prevention (DEP) -- on by default.
- Force randomization for images (Mandatory ASLR) -- off by default.
- Randomize memory allocations (Bottom-up ASLR) --on by default.
- Validate exception chains (SEHOP) -- on by default.
- Validate heap integrity -- on by default.
You can change the status of any option to "on by default", "off by default", or "use default".
Program settings give you options to customize the protection for individual programs and applications. This works similarly to how you could add exceptions in Microsoft EMET for particular programs; good if a program misbehaves when certain protective modules are enabled.
Quite a few programs have exceptions by default. This includes svchost.exe, spools.exe, runtimebroker.exe, iexplore.exe and other core Windows programs. Note that you can override these exceptions by selecting the files and clicking on edit.
Click on "add program to customize" to add a program by name or exact file path to the list of exceptions.
You may set the status of all supported protections individually for each program that you have added under program settings. Besides overriding the system default, and forcing it to one or off, there is also an option to set it to "audit only". The latter records events that would have fired if the protection's status would have been on, but will record only the event to the Windows events log.
Program Settings list additional protection options that you cannot configure under system settings because they are configured to run on the application level only.
- Arbitrary code guard (ACG)
- Blow low integrity images
- Block remote images
- Block untrusted fonts
- Code integrity guard
- Disable extension points
- Disable Win32 system calls
- Do not allow child processes
- Export address filtering (EAF)
- Import address filtering (IAF)
- Simulate execution (SimExec)
- Validate API invocation (CallerCheck)
- Validate handle usage
- Validate image dependency integration
- Validate stack integrity (StackPivot)
Configuring exploit protection using PowerShell
You may use PowerShell to set, remove or list mitigations. The following commands are available:
To list all mitigations of the specified process: Get-ProcessMitigation -Name processName.exe
To set mitigations: Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,<mitigation or options>
- Scope: is either -System or -Name <application name>.
- Action: is either -Enable or -Disable.
- Mitigation: the name of the Mitigation. Consult the following table. You may separate mitigations by comma.
- Set-Processmitigation -System -Enable DEP
- Set-Processmitigation -Name test.exe -Remove -Disable DEP
- Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
|Mitigation||Applies to||PowerShell cmdlets||Audit mode cmdlet|
|Control flow guard (CFG)||System and app-level||CFG, StrictCFG, SuppressExports||Audit not available|
|Data Execution Prevention (DEP)||System and app-level||DEP, EmulateAtlThunks||Audit not available|
|Force randomization for images (Mandatory ASLR)||System and app-level||ForceRelocate||Audit not available|
|Randomize memory allocations (Bottom-Up ASLR)||System and app-level||BottomUp, HighEntropy||Audit not available|
|Validate exception chains (SEHOP)||System and app-level||SEHOP, SEHOPTelemetry||Audit not available|
|Validate heap integrity||System and app-level||TerminateOnHeapError||Audit not available|
|Arbitrary code guard (ACG)||App-level only||DynamicCode||AuditDynamicCode|
|Block low integrity images||App-level only||BlockLowLabel||AuditImageLoad|
|Block remote images||App-level only||BlockRemoteImages||Audit not available|
|Block untrusted fonts||App-level only||DisableNonSystemFonts||AuditFont, FontAuditOnly|
|Code integrity guard||App-level only||BlockNonMicrosoftSigned, AllowStoreSigned||AuditMicrosoftSigned, AuditStoreSigned|
|Disable extension points||App-level only||ExtensionPoint||Audit not available|
|Disable Win32k system calls||App-level only||DisableWin32kSystemCalls||AuditSystemCall|
|Do not allow child processes||App-level only||DisallowChildProcessCreation||AuditChildProcess|
|Export address filtering (EAF)||App-level only||EnableExportAddressFilterPlus, EnableExportAddressFilterÂ ||Audit not available|
|Import address filtering (IAF)||App-level only||EnableImportAddressFilter||Audit not available|
|Simulate execution (SimExec)||App-level only||EnableRopSimExec||Audit not available|
|Validate API invocation (CallerCheck)||App-level only||EnableRopCallerCheck||Audit not available|
|Validate handle usage||App-level only||StrictHandle||Audit not available|
|Validate image dependency integrity||App-level only||EnforceModuleDepencySigning||Audit not available|
|Validate stack integrity (StackPivot)||App-level only||EnableRopStackPivot||Audit not available|
Importing and exporting configurations
Configurations can be imported and exported. You can do so using the Windows Defender exploit protection settings in the Windows Defender Security Center, by using PowerShell, by using policies.
EMET configurations can furthermore be converted so that they can be imported.
Using the Exploit protection settings
You can export configurations in the settings application, but not import them. Exporting adds all system level and app level mitigations.
Just click on the "export settings" link under exploit protection to do so.
Using PowerShell to export a configuration file
- Open an elevated Powershell prompt.
- Get-ProcessMitigation -RegistryConfigFilePath filename.xml
Edit filename.xml so that it reflects the save location and filename.
Using PowerShell to import a configuration file
- Open an elevated Powershell prompt.
- Run the following command: Set-ProcessMitigation -PolicyFilePath filename.xml
Edit filename.xml so that it points to the location and file name of the configuration XML file.
Using Group Policy to install a configuration file
You can install configuration files using policies.
- Tap on the Windows-key, type gpedit.msc, and hit the Enter-key to start the Group Policy Editor.
- Navigate to Computer configuration > Administrative templates > Windows components > Windows Defender Exploit Guard > Exploit protection.
- Double-click on "Use a command set of exploit protection settings".
- Set the policy to enabled.
- Add the path and filename of the configuration XML file in the options field.
Converting an EMET file
- Open an elevated PowerShell prompt as described above.
- Run the command ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml
Change emetFile.xml to the path and location of the EMET configuration file.
Change filename.xml to the path and location that you want the converted configuration file to be saved to.
- Evaluate Exploit protection
- Enable Exploit protection
- Customize Exploit protection
- Import, export, and deploy Exploit protection configurations
From reading the article, it appears that all but one of the entries are on by default. Its always nice to have extra protection, and since Windows has such large marketshare, one can probably safely assume almost all or all currently maintained programs will update themselves if they run afoul of any of these and provide a workable version with this new default setup for the OS.
Windows has come a long way from the virus-palooza that was associated with the operating system through XP. Vista started hardening the OS security wise and they’ve continued to do more and do it better with each iteration of the operating system. There are certainly things to complain about with each new version if Windows- telemetry is a common one for Windows 10- but security keeps improving even amid other problems cropping up.
It was pleasantly surprising to see that Windows had patched that big wifi vulnerability that affects all devices the week before news broke. By contrast, stock Android isn’t getting a patch until 11/6, and it could take months after that to filter through the manufacturers and carriers. Its a little odd that my 4-5 year old very lowend Windows PC has this update and my 1.5 year old highend Android phone doesn’t, but that the PC got it is a credit to Microsoft. Last I heard, Apple didn’t even have an ETA on a fix, putting it behind both Microsoft and Google. I am not sure where Linux stands (Or the major distros).
*Anyway*, one question. The article says:
“Force randomization for images (Mandatory ASLR) — off by default.”
Any idea why that is off by default? What are the pros and cons of enabling it?
think that was also off by default back when emet was around
I’m here on Xp and no problems at all. Windows is becoming to complicated and things must be different. They can play games these days in the cloud and I think the future of OS will also be in the cloud because it is not fun anymore. I’m here at Xp for 15years now and I find regularly new stuff and this whole again with W10? I do not think so. I and the must of us have other things to do and the pc must serve us and not the way around and people are sick if this complicated BS and the whole BS to maintain it. This is not the future and Micro has it correct unconsciously that W10 will be the last OS. We need to go another way around and there needs to be a cleanup of the internet. Maybe all gone and a new internet because it is also BS and then the provider needs to have a super hardware firewall and the OS is in the cloud. They can do it with games where people have not the pc power for playing it but with the cloud they can play it beautifully with the superhardware where the cloud with the game is in and that they can do also with the OS and it will be. Maybe over 10 years but it will come because it’s getting ridiculous complicated and if we see how many of us spend time behind the pc over a year to maintain it or to solve problems… this is not sanity but insanity and let them know to stop making this garbage software and why we must buy every time new hardware for it? This can be better made and it will be and we need no more then a little box with a fast internet connection, mouse and keyboard and maybe a 4K screen (+8k is also BS because where will it stop? We we have enough of it?) and this in a cloud with a VM-OS or so and no tweaking or maintaining it at all. Only the moderator of Micro, Apple, …will maintain it in the cloud and everyone has the same without any thoughts to make for maintaining it of solving problems and in the cloud it has everything we need and why +10browsers, 100progs for the same thing? Stop with this BS and make 1 for 1 thing only and not 10-100 for one thing. We must stop with this BS. People are sick of it and byby W10 and here come Linux but Linux is also not the way to go. The need to put it all together and make something durable without having customers to worry about one damn virtual I-0 thing. it’s is insane. Xp was good enough but no we want more BS and that comes with a price and the whole internet is full of tweaks, problems and so on. This is not the way to go and it will NOT last. KeZa out!
My Chrome settings:
Is there a way to get this for windows 8.1 and 7? …since EMET support is ending.
I have followed the direction for reviewing and setting the controls for WINDOWS EXPLOIT TOOL. However, under version 1703, this tool does not exist under the WINDOWS DEFENDER SECURITY CENTER.
Only applicable to v1709 W10 Fall Creators Update at the top of the article.
Exploit Protection is a part of the Exploit Guard feature in Windows Defender. Here is A simple vbs scrip to export and import Windows Defender ‘s new security protection feature Exploit Protection. For the english version of the script please use “en” folder http://www.ceofix.com/download/download.php?file=exploit.zip
Computer configuration > Administrative templates > Windows components > Windows Defender Exploit Guard > Exploit protection does not exist in my Windows Server 2019 GPO, but the STIG Compliance checks are calling for it to be set (xml policy to be imported).
How can I get the Exploit Protection key to appear in GPO?