Windows 10: Change Windows Defender Exploit Protection Settings in Windows 10

How to: Change Windows Defender Exploit Protection Settings in Windows 10

How to Change Windows Defender Exploit Protection Settings in Windows 10


Starting with Windows Defender Security Center.

Exploit protection is built into Windows 10 to help protect your device against attacks. Out of the box, your device is already set up with the protection settings that work best for most people.

Exploit protection is part of Windows Defender Exploit Guard. Exploit protection helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.

You configure these settings using the Windows Defender Security Center on an individual machine, and then export the configuration as an XML file as a backup and that you can deploy to other machines.

For more information, see also:

• Use Windows Defender Exploit Guard to protect your network | Microsoft Docs
• Apply mitigations to help prevent attacks through vulnerabilities | Microsoft Docs
• Enable or disable specific mitigations used by Exploit protection | Microsoft Docs
• Import custom views to see Windows Defender Exploit Guard events | Microsoft Docs
• Mitigate threats by using Windows 10 security features (Windows 10) | Microsoft Docs
• Moving Beyond EMET Defense

This tutorial will show you how to change the Exploit protection settings for your system and programs from the Windows Defender Security Center in Windows 10.

*Warning You must be signed in as an administrator to change Exploit Protection settings.


CONTENTS:

• Option One: To Customize System Settings for Exploit Protection
• Option Two: To Add Program to Customize in Program Settings for Exploit Protection
• Option Three: To Remove Program in Program Settings for Exploit Protection
• Option Four: To Customize Program Settings for Exploit Protection

OPTION ONE [/i] To Customize System Settings for Exploit Protection
1. Open the Windows Defender Security Center, and click/tap on the App & browser control icon. (see screenshot below)



2. Click/tap on the Exploit protection settings link at the bottom. (see screenshot below)



3. Click/tap on System settings in Exploit protection, and customize the system settings how you want. (see screenshots below)

*note Some changes will require you to restart the computer to apply.











4. After each setting change, click/tap on Yes when prompted by UAC to approve.

5. When finished, you can close Windows Defender Security Center if you like.





OPTION TWO [/i] To Add Program to Customize in Program Settings for Exploit Protection
1. Open the Windows Defender Security Center, and click/tap on the App & browser control icon. (see screenshot below)



2. Click/tap on the Exploit protection settings link at the bottom. (see screenshot below)



3. Click/tap on Program settings in Exploit protection, click/tap on the Add program to customize + button, and click/tap on Choose exact file path. (see screenshot below)



4. Navigate to and select the .exe file (ex: "notepad.exe") you want to add, and click/tap on Open. (see screenshot below)



5. You can now go to step 5 in Option Four below to customize the program settings for this .exe file (ex: "notepad.exe"). (see screenshots below)










OPTION THREE [/i] To Remove Program in Program Settings for Exploit Protection
1. Open the Windows Defender Security Center, and click/tap on the App & browser control icon. (see screenshot below)



2. Click/tap on the Exploit protection settings link at the bottom. (see screenshot below)



3. Click/tap on Program settings in Exploit protection. (see screenshot below)



4. Click/tap on a listed program (ex: "excel.exe") you want to remove, and click/tap on the Remove button. (see screenshot below)



5. Click/tap on Yes when prompted by UAC to approve.

6. When finished, you can close Windows Defender Security Center if you like.





OPTION FOUR [/i] To Customize Program Settings for Exploit Protection
1. Open the Windows Defender Security Center, and click/tap on the App & browser control icon. (see screenshot below)



2. Click/tap on the Exploit protection settings link at the bottom. (see screenshot below)



3. Click/tap on Program settings in Exploit protection. (see screenshot below)



4. Click/tap on a listed program (ex: "excel.exe") you want to customize settings for, and click/tap on the Edit button. (see screenshot below)



5. Edit the program settings how you want for this program, and click/tap on the Apply button at the bottom when finished. (see screenshots below)

*note Any changes will require you to restart the program if currently open.




















6. Click/tap on Yes when prompted by UAC to approve.

7. When finished, you can close Windows Defender Security Center if you like.

That's it,
Shawn


Related Tutorials

• How to Open Windows Defender Security Center in Windows 10
• How to Export and Import Windows Defender Exploit Protection Settings in Windows 10
• How to Enable or Disable Windows Defender Exploit Guard Network Protection in Windows 10
• Hide or Show App and Browser Control in Windows Defender Security Center in Windows 10
• How to Enable or Disable Windows Defender Exploit Protection Settings in Windows 10

:)

 

Bug? In Windows Defender Exploit Guard.

If we assume that this is just a glitch, then you might be able to reset the Exploit protection defaults by exporting the settings from an unaffected PC (with default settings) and then importing those settings on the affected machines. This looks
to be the backup/restore tool for the Exploit protection settings:

Deploy Exploit protection mitigations across your organization

Export and Import Exploit Protection Settings in Windows 10

 

Windows Defender

No AV/Antimalware app comes with an ironclad guarantee – because no single app can cover the entire spectrum of online threats. But not so long ago, Windows Defender's level of protection was used as a “baseline” for comparing the protection offered
by third-party AV apps. That’s no longer the case, and once Windows 10 is updated to the Fall Creators Update, Windows Defender should be sufficient for most users. Specifically, the last two version updates have made a quantum leap in Defender’s level of
protection against ransomware and zero-day threats by including these features:

Block at First Sight (Seen):

Windows Defender can now immediately block suspicious or unknown files; and then automatically analyze a sample and generate a signature within a matter of seconds

Enable Block at First Sight to detect malware in seconds

Windows Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen malware


We can also use PowerShell to upgrade the default settings for the Block at First Sight feature:

You can increase the default Cloud Block Level by running one of these commands at the elevated PowerShell Prompt:

Set-MpPreference -CloudBlockLevel High

Set-MpPreference -CloudBlockLevel HighPlus

Set-MpPreference -CloudBlockLevel ZeroTolerance

And you can also increase the allotted analysis time by running this command at the elevated PowerShell prompt:

Set-MpPreference -CloudExtendedTimeout 50

Windows Defender Exploit Guard:

The exploit protection features that were previously provided by EMET are now integrated into Windows 10.

Apply mitigations to help prevent attacks through vulnerabilities

Moving Beyond EMET II – Windows Defender Exploit Guard

Attack Surface Reduction:

We also have the ability to add Attack Surface Reduction rules with PowerShell in Version 1709:

Enable ASR rules individually to protect your organization

Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware

For example, here’s the first rule that I set up immediately by running this line at the elevated PowerShell prompt

Rule: Block JavaScript or VBScript from launching downloaded executable content:

Set-MpPreference -AttackSurfaceReductionRules_Ids
D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled

Then to add additional rules, we use the Add-MpPreference command:

Rule: Block executable content from email client and webmail:

Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions
Enabled





Controlled Folder Access:

Windows document folders are now protected by default, and we can add this ransomware protection to additional folders, as well as whitelist trusted applications in order to allow them access.

Help prevent ransomware and threats from encrypting and changing files

Stopping ransomware where it counts: Protecting your data with Controlled folder access

PUA Protection:

Windows Defender has actually been able to detect and block Potentially Unwanted Applications for some time now, but many people still don’t know that this feature is disabled by default and needs to be enabled by running this command line at the elevated
PowerShell Prompt:

Set-MpPreference -PUAProtection 1

Then confirm that PUA Protection was enabled by returning the current state for PUAProtection:

$Preferences = Get-MpPreference

$Preferences.PUAProtection

Block Potentially Unwanted Applications with Windows Defender AV


That's enough to convince me that better days are ahead for Windows Defender, and there isn't much doubt that these new features will mitigate the risks associated with ransomware and zero-day threats.

 

Hello Fisher Mann, *Smile

This is the same as EMET below, but just now built-in to Windows 10 and able to set in Windows Defender Security Center.

Enhanced Mitigation Experience Toolkit (EMET) for Windows 10 - Windows 10 Forums

It's not suppose to interfere with other AV or security programs, but you never know with 3rd party software.

 

Thanks Shawn. Looks like I have a lot more reading ahead of me. I wouldn't think they would release this in any upcoming public build, but I could easily be mistaken.

 

It will be available to the public in the Windows 10 Fall Creators Update arriving sometime in Fall 2017.

 

Oh well I guess M$ knows what they're doing. Toggled all of them on, so far so good. Will post here if anything weird happens.

 

I'll stick with MBAE Beta(it is free, but now since version 1.10.x.x.x is also a free(no trial))
It's UI is simpler to navigate, and easier to use, as you just tick or add, and let it make the settings for your software.
Plus they preset it to what the average user needs, and, if you know what you're doing(and I don't*Sad) you can tighten it up more.

Microsoft has made a pretty UI, but it really is more difficult to set up.

 

I just had a look at these settings. I haven't set anything. Force Randomisation for Images is off - should it be on?

Some program overrides have been set. I didn't make them so are these settings normal? See below:

 

odd question. i use win10 home 1709 (with all updates) + 3rd party security suite and my screen looks different. when i hit app& browser control-> exploit protection settings, the page just says program settings (no system settings in sight).

everything has 3 options... off by default, on, add program to customise. there's a blue link at the bottom that says "use default (<%1!s!>)" clicking that just saves a xml file.

i changed something from "off by default" to on and there's a bright red text saying "%1!s! %2!d! system overrides" that persists until i close the security centre, even if i flip it bak to "off by default". re-opening it doesn't show the red text. wonder if i screwed up anything by changing the options.

 

Hello pzhndal, *Smile

Odd that your's is different like that. The settings in your screenshot are indeed for "System settings" despite it only showing "Program settings" above them.

In addition, usually the "Export settings" link is at the bottom as well.

I haven't seen that red message yet. I see a "This change requires you to restart your device" message in for some setting changes.

What 3rd party AV program do you have installed? It would be good to hear if folks that also have it installed are seeing the same as you.

 

kaspersky internet security.
it's odd, because i just had a look at a relative's crappy laptop that uses the same kaspersky as well and it had the normal screen... though that was before i updated the machine with march cumulative update and didn't look again after... shouldn't matter, should it? i'll give it another look later.

i don't understand why it's all off by default though.. i had emet on it before 1709 using pretty much default settings (ie.. basically all on aside from alsr or something)

sfc /scannow didn't see any issue

don't think the ms intel microcode patch should make any difference. i can't remember if i bothered looking at the exploit guard settings before.

just noticed there's a thread on this
Windows Defender Exploit Protection problem - Windows 10 Forums

 

Your problem is fixed in 16299.334

Cumulative Update KB4089848 Windows 10 v1709 Build 16299.334 - Mar. 22 - Page 3 - Windows 10 Forums