none
Comparison between Exploit Protection and Attack Surface Reduction RRS feed

  • Question

  • Hi, 

    Since Windows Defender Exploit Guard's feature, Attack Surface Reduction will be disabled once a third party antivirus is installed, and Exploit Protection will stay active.

    Is there any settings in Exploit protection that can compensate the loss of Attack Surface Reduction?

    E.g. Attack Surface Reduction has "Block Office applications from creating child processes" which Exploit protection has "Do not allow child processes" which is similar to each other. 

    In addition, is ASR's "Block Win32 API calls from Office macro" similar to EP's "Disable Win32k system calls". I tried to enable EP's "Disable Win32k system calls" and the MS office cannot run.

    May I know is there any other similar features in Exploit Protection that can be activated to replace Attack Surface Reduction.

    Currently, my workplace requires us to on the third party AV, thus I plan to use Exploit Protection on Microsoft Office applications such as Word, Excel, and PPT.

    Thank you.

    Yours sincerely

    Arik.

    Thursday, February 8, 2018 2:27 AM

Answers

All replies

  • Hi,

    As this issue is mainly related to Surface, I suggest discussing it in our Surface forum. They are the best resource to troubleshoot this issue.

    https://social.technet.microsoft.com/Forums/en-US/home?category=surface

    Best Regards,

    Tao


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Arik Lim Saturday, February 10, 2018 2:16 AM
    Friday, February 9, 2018 3:16 AM
    Moderator
  • Hi Tao,

    May I ask why is it related to Surface? You mean Microsoft Surface Pro? I am asking questions with regards to the security features for Windows Defender. How is that related to Surface?

    Thank you.

    Yours sincerely,

    Lim Yi Hong

    Saturday, February 10, 2018 2:17 AM
  • You have to read this article by Matt Graeber very carefully - because you have to use Windows Defender Application Guard (fmka Device Guard) for customized ASR Rules (if you have an Enterprise License) - Windows Defender Exploit Guard with the general Attack Surface Reduction rules is ONLY for Office products:

    https://posts.specterops.io/the-emet-attack-surface-reduction-replacement-in-windows-10-rs3-the-good-the-bad-and-the-ugly-34d5a253f3df

    https://docs.microsoft.com/de-de/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard

    Also keep in mind that Exploit Guards general ASR's for Office only work if Defender is your main protection AV (no third party allowed) - but WDAG (Device Guard) also works without AV protection from Defender.



    • Edited by Sebow Saturday, February 10, 2018 9:04 PM
    Saturday, February 10, 2018 9:03 PM
  • Hi Sebow,

    Thanks for your reply.

    I have no intention of using Windows Defender Application Guard and Device Guard yet. What I am asking is regarding the features of Exploit Guard. Since Exploit Guard consist of Exploit Protection and Attack Surface Reduction, and Attack Surface Reduction becomes inactive when a Third party AV is installed, plus it is only for Microsoft office apps. Is there any other functions in Exploit Protection that I can turn on to replace the features of Attack Surface Reduction.

    Example I use my own Third party AV, so Attack Surface Reduction is turn off. However, I want to have similar protection from Attack Surface reduction's "Block Office applications from creating child processes". So I use Exploit Protection's "Do not allow child processes" and specifically select the settings for all Microsoft Applications. Thus achieving same results. I tested this with the DDE exploit, which both Attack Surface Reduction and Exploit Protection are able to detect and block. 

    So may I ask other than Preventing Child processes, is there any other features of Attack Surface Reduction, that can be replaced or similar protection from Exploit Protection?

    Block executable content from email client and webmail
    Block Office applications from creating child processes (Done)
    Block Office applications from creating executable content
    Block Office applications from injecting code into other processes
    Block JavaScript or VBScript from launching downloaded executable content
    Block execution of potentially obfuscated scripts
    Block Win32 API calls from Office macro

    Thank you.


    Yours sincerely.

    Arik

     
    Monday, February 12, 2018 3:10 AM
  • I think the main reason that you have to use Windows Defender for the ASR Office Protection is that it uses AMSI (Anti Malware Scan Interface), which blocks malicious Powershell, VBScript, JavaScript code that has been obfuscated or block obfuscated macro code - most 3rd party AV's don't use that API (but they could if they want) and exploit prevention isn't made for scanning malicious scripts/code at all:

    https://www.blackhat.com/docs/us-16/materials/us-16-Mittal-AMSI-How-Windows-10-Plans-To-Stop-Script-Based-Attacks-And-How-Well-It-Does-It.pdf

    http://www.labofapenetrationtester.com/2016/09/amsi.html

    https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396


    • Edited by Sebow Monday, February 12, 2018 10:55 PM
    Monday, February 12, 2018 10:54 PM