Windows 10: Moving Beyond EMET II – Windows Defender Exploit Guard

Brink · Aug 9, 2017

Since we last wrote about the future of EMET and how it relates to Windows 10 back in November 2016 (see Moving Beyond EMET), we have received lots of invaluable feedback from EMET customers and enthusiasts regarding the upcoming EMET end of life. Based on that feedback, we are excited to share significant new exploit protection and threat mitigation improvements coming with the Windows 10 Fall Creators Update!

We recently introduced Windows Defender Exploit Guard (WDEG) which will complete our journey to incorporate all of the security benefits of EMET directly into Windows. This effort was significantly influenced by two insights that came up most frequently in our survey data, customer support calls, and conversations with EMET stakeholders and security enthusiasts. More than anything else, our customers have expressed that they want (1) a user-friendly UI for configuring mitigation settings and (2) a way to protect their legacy apps on Windows 10.

As such, with the Windows 10 Fall Creators Update, you can now audit, configure, and manage Windows system and application exploit mitigations right from the Windows Defender Security Center (WDSC). You do not need to deploy or install Windows Defender Antivirus or any other additional software to take advantage of these settings, and WDEG will be available on every Windows 10 PC running the Fall Creators Update. Windows Insiders can start trying out WDEG today following these simple steps:

Right-click the WDSC icon in the taskbar notification area and click Open, or search the Start menu for Windows Defender Security Center.

From the Windows Defender Security Center, click on App & browser control.

Scroll to the bottom of the resulting screen to find Exploit protection settings.

In addition to the new user-friendly interface in WDSC, we have added the same legacy app protections that our EMET customers have come to expect, thus achieving parity between Windows 10 mitigation support and all of the mitigation features provided by EMET. While we strongly recommend the use of Control Flow Guard (CFG) to provide the strongest protections available, we understand that many enterprises depend on legacy apps to run their business operations, many of which may never get recompiled with CFG. These users can now use Exploit Guard to help secure such apps on modern systems by configuring control flow protections for legacy apps, similar to those offered by EMET but built-in directly to Windows 10 as part of WDEG. These legacy app control flow protections include:

Export Address Filtering (EAF)

Import Address Filtering (IAF)

Validate API Invocation (CallerCheck)

Simulate Execution (SimExec)

Validate Stack Integrity (StackPivot)

Another common ask from our customers was for auditing support. To facilitate easy deployment and usage of mitigations without the burden of application compatibility side effects, we have introduced audit mode support for both EMET legacy app mitigations as well as existing native mitigations provided by Windows.

Although EMET shipped with a set of recommended configuration settings, we know that many EMET customers customized the policy to suit the specific needs of their business. To help facilitate the migration to Windows Defender Exploit Guard, we have added a new PowerShell module that converts EMET XML settings files into Windows 10 mitigation policies for WDEG. More information about this PowerShell module, and about how EMET features relate to security features in Windows 10, can be found in the topic Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit.

Lastly, Windows Defender Exploit Guard includes much more than the features integrated from EMET, and we look forward to discussing host intrusion prevention capabilities and other WDEG components in a future blog post. In terms of upcoming features, WDEG will soon be fully integrated with Windows Defender ATP (WDATP) to provide a single-pane-of-glass view across the Windows security stack. Violations of configured WDEG mitigations will be logged by WDATP and used as additional signals for more advanced exploit detection.

For more details on Windows 10’s threat mitigations, please refer to our Windows 10 Threat Mitigations documentation on Microsoft Docs.

- Nate Nunez, OS Security
Click to expand...

Source: Moving Beyond EMET II - Windows Defender Exploit Guard Defense

:)

GreginMich · Aug 9, 2017

Windows Defender

No AV/Antimalware app comes with an ironclad guarantee – because no single app can cover the entire spectrum of online threats. But not so long ago, Windows Defender's level of protection was used as a “baseline” for comparing the protection offered
by third-party AV apps. That’s no longer the case, and once Windows 10 is updated to the Fall Creators Update, Windows Defender should be sufficient for most users. Specifically, the last two version updates have made a quantum leap in Defender’s level of
protection against ransomware and zero-day threats by including these features:

Block at First Sight (Seen):

Windows Defender can now immediately block suspicious or unknown files; and then automatically analyze a sample and generate a signature within a matter of seconds

Enable Block at First Sight to detect malware in seconds

Windows Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen malware

We can also use PowerShell to upgrade the default settings for the Block at First Sight feature:

You can increase the default Cloud Block Level by running one of these commands at the elevated PowerShell Prompt:

Set-MpPreference -CloudBlockLevel High

Set-MpPreference -CloudBlockLevel HighPlus

Set-MpPreference -CloudBlockLevel ZeroTolerance

And you can also increase the allotted analysis time by running this command at the elevated PowerShell prompt:

Set-MpPreference -CloudExtendedTimeout 50

Windows Defender Exploit Guard:

The exploit protection features that were previously provided by EMET are now integrated into Windows 10.

Apply mitigations to help prevent attacks through vulnerabilities

Moving Beyond EMET II – Windows Defender Exploit Guard

Attack Surface Reduction:

We also have the ability to add Attack Surface Reduction rules with PowerShell in Version 1709:

Enable ASR rules individually to protect your organization

Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware

For example, here’s the first rule that I set up immediately by running this line at the elevated PowerShell prompt

Rule: Block JavaScript or VBScript from launching downloaded executable content:

Set-MpPreference -AttackSurfaceReductionRules_Ids
D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled

Then to add additional rules, we use the Add-MpPreference command:

Rule: Block executable content from email client and webmail:

Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions
Enabled

Controlled Folder Access:

Windows document folders are now protected by default, and we can add this ransomware protection to additional folders, as well as whitelist trusted applications in order to allow them access.

Help prevent ransomware and threats from encrypting and changing files

Stopping ransomware where it counts: Protecting your data with Controlled folder access

PUA Protection:

Windows Defender has actually been able to detect and block Potentially Unwanted Applications for some time now, but many people still don’t know that this feature is disabled by default and needs to be enabled by running this command line at the elevated
PowerShell Prompt:

Set-MpPreference -PUAProtection 1

Then confirm that PUA Protection was enabled by returning the current state for PUAProtection:

$Preferences = Get-MpPreference

$Preferences.PUAProtection

Block Potentially Unwanted Applications with Windows Defender AV

That's enough to convince me that better days are ahead for Windows Defender, and there isn't much doubt that these new features will mitigate the risks associated with ransomware and zero-day threats.

GreginMich · Aug 9, 2017

Bug? In Windows Defender Exploit Guard.

If we assume that this is just a glitch, then you might be able to reset the Exploit protection defaults by exporting the settings from an unaffected PC (with default settings) and then importing those settings on the affected machines. This looks
to be the backup/restore tool for the Exploit protection settings:

Deploy Exploit protection mitigations across your organization

Export and Import Exploit Protection Settings in Windows 10

Tony K · Aug 9, 2017

Thanks for posting that, Shawn. It's included in Insider build 16257.

Brink · Aug 9, 2017

*Thumbs

*Arrow Change Exploit Protection Settings in Windows 10 Windows 10 Security System Tutorials

dencal · Aug 9, 2017

Thanks Shawn...for info plus link for tutorial.

Tony K · Apr 4, 2018

*Thumbs

*Arrow Change Exploit Protection Settings in Windows 10 Windows 10 Security System Tutorials
Click to expand...

Thanks, again. I didn't know that section was in 16332. *Redface

Windows 10: Moving Beyond EMET II – Windows Defender Exploit Guard

Moving Beyond EMET II – Windows Defender Exploit Guard

Moving Beyond EMET II – Windows Defender Exploit Guard

Moving Beyond EMET II – Windows Defender Exploit Guard

Moving Beyond EMET II – Windows Defender Exploit Guard - Similar Threads - Moving Beyond EMET

Microsoft Defender Exploit Guard on Windows 10 Pro

Windows 10 Exploit Guard

Windows Defender Application Guard?

Need exclusion for Defender Exploit Guard Network Protection

Need exclusion for Defender Exploit Guard Network Protection

Interpreting Windows Defender Exploit Guard ASR audit alerts

EMET or Malwarebytes Anti exploit?

Windows: Moving Beyond Enhanced Mitigation Experience Toolkit (EMET)

Enable Windows Defender Exploit Guard Network Protection in Windows 10