Protect devices from exploits

04/02/2019

4 minutes to read

+1



In this article

Applies to:

Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server, version 1803.

Tip You can visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the feature is working and see how it works.

Exploit protection works best with Microsoft Defender Advanced Threat Protection - which gives you detailed reporting into exploit protection events and blocks as part of the usual alert investigation scenarios.

You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices at once.

When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.

You can also use audit mode to evaluate how exploit protection would impact your organization if it were enabled.

Many of the features in the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. In fact, you can convert and import existing your EMET configuration profiles into exploit protection. To learn more, see Import, export, and deploy exploit protection configurations.

Important If you are currently using EMET you should be aware that EMET reached end of support on July 31, 2018. Consider replacing EMET with exploit protection in Windows 10.

Warning Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using audit mode before deploying the configuration across a production environment or the rest of your network.

Review exploit protection events in the Microsoft Security Center

Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.

You can query Microsoft Defender ATP data by using Advanced hunting. If you're using audit mode, you can use advanced hunting to see how exploit protection settings could affect your environment.

Here is an example query:

DeviceEvents | where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection'

Review exploit protection events in Windows Event Viewer

You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app:

Provider/source Event ID Description Security-Mitigations 1 ACG audit Security-Mitigations 2 ACG enforce Security-Mitigations 3 Do not allow child processes audit Security-Mitigations 4 Do not allow child processes block Security-Mitigations 5 Block low integrity images audit Security-Mitigations 6 Block low integrity images block Security-Mitigations 7 Block remote images audit Security-Mitigations 8 Block remote images block Security-Mitigations 9 Disable win32k system calls audit Security-Mitigations 10 Disable win32k system calls block Security-Mitigations 11 Code integrity guard audit Security-Mitigations 12 Code integrity guard block Security-Mitigations 13 EAF audit Security-Mitigations 14 EAF enforce Security-Mitigations 15 EAF+ audit Security-Mitigations 16 EAF+ enforce Security-Mitigations 17 IAF audit Security-Mitigations 18 IAF enforce Security-Mitigations 19 ROP StackPivot audit Security-Mitigations 20 ROP StackPivot enforce Security-Mitigations 21 ROP CallerCheck audit Security-Mitigations 22 ROP CallerCheck enforce Security-Mitigations 23 ROP SimExec audit Security-Mitigations 24 ROP SimExec enforce WER-Diagnostics 5 CFG Block Win32K 260 Untrusted Font

Mitigation comparison

The mitigations available in EMET are included natively in Windows 10 (starting with version 1709) and Windows Server (starting with version 1803), under Exploit protection.

The table in this section indicates the availability and support of native mitigations between EMET and exploit protection.

Mitigation Available under exploit protection Available in EMET Arbitrary code guard (ACG) yes yes

As "Memory Protection Check" Block remote images yes yes

As "Load Library Check" Block untrusted fonts yes yes Data Execution Prevention (DEP) yes yes Export address filtering (EAF) yes yes Force randomization for images (Mandatory ASLR) yes yes NullPage Security Mitigation yes

Included natively in Windows 10

See Mitigate threats by using Windows 10 security features for more information yes Randomize memory allocations (Bottom-Up ASLR) yes yes Simulate execution (SimExec) yes yes Validate API invocation (CallerCheck) yes yes Validate exception chains (SEHOP) yes yes Validate stack integrity (StackPivot) yes yes Certificate trust (configurable certificate pinning) Windows 10 provides enterprise certificate pinning yes Heap spray allocation Ineffective against newer browser-based exploits; newer mitigations provide better protection

See Mitigate threats by using Windows 10 security features for more information yes Block low integrity images yes no Code integrity guard yes no Disable extension points yes no Disable Win32k system calls yes no Do not allow child processes yes no Import address filtering (IAF) yes no Validate handle usage yes no Validate heap integrity yes no Validate image dependency integrity yes no

Note The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process. See the Mitigation threats by using Windows 10 security features for more information on how Windows 10 employs existing EMET technology.

See also