Exploit Guard as you may have noticed is very exciting security feature in Windows 10 1709, they are set of host/endpoint Intrusion Prevention tools defending against malicious macro, email and script based threats.
For those familiar with Microsoft free EMET (Enhanced Mitigation Experience Toolkit) tool they will find that Exploit Guard is the natural successor to EMET where its used to limit an block attacks on the application level using memory mitigation techniques as well as other options.
It should be noted that EMET end of support is July 31, 2018. You can easily import and convert your EMET configuration and settings to Exploit Guard. For detailed comparison between both EMET and Exploit Guard check the below link
To import older EMET configuration to Exploit Guard you need first to covert it and then import it. Both conversion and Import are done using Power Shell Commands as follows:
- Conversion: ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml
- Importing your converted file to Exploit Guard: Set-ProcessMitigation -PolicyFilePath filename.xml
Exploit Guard is a family of tools and they fall in the pre-breach threat resistance, there are mainly three tools under Exploit Guard as follows:
- Attack surface Reduction: Protect entry vectors as Macros -Office files with Macros that download and execute content (Office rules, script rules and mail rules) – This will be discussed in my next blog post.
- Controlled Folder Access: Protecting Files in your critical folders on your system (Ransomware). Check my earlier post http://itcalls.blogspot.com.eg/2017/10/windows-10-fall-update-1709-security_25.html
- Network Protection: Part of the Exploit Guard protecting against internet based attacks (building on the earlier browser smart screen protection……etc)
Configuring Exploit Protection settings on Standalone machine:
You can open the Exploit Protection smadav antivirus as well protection settings from the Windows Defender Security Center – App and Browser Control – Scroll down and click on Exploit Protection
Configuring Exploit Protection settings on domain machines using group policy:
As we discussed earlier in the standalone configuration, normally you will start configuring one client, testing all applications and mitigation techniques and once satisfied you will export the settings and will deploy it to all the computers in your enterprise running Windows 10 1709 or later.
This is where the group policy kicks in, you will create a new GP and link it to your Windows 10 1709 computers, navigate to Computer Configuration – Policies – Administrative Templates – Windows Components – Windows Defender Exploit Guard – Exploit Protection
There is only one setting available where you can point to the settings file (Exported from any tested standalone machine)