Courtesy of the Windows Defender Exploit Guard that ships with Windows 10 Fall Creators Update, systems running Microsoft’s Windows 10 operating system can fend off emerging threats, Microsoft says.
In June this year, Microsoft revealed that Windows Defender Exploit Guard will make the Enhanced Mitigation Experience Toolkit (EMET) native to Windows 10, and that it would also provide users with additional vulnerability mitigations.
Taking advantage of Microsoft Intelligent Security Graph (ISG), the Exploit Guard was designed to protect organizations from advanced threats, including zero day exploits. The tool contains four components: Attack Surface Reduction, Network protection, Controlled folder access, and Exploit protection.
Attack Surface Reduction (ASR), which is inherited from EMET, is a set of controls providing enterprises with protection from getting infected with malware by blocking Office-, script-, and email-based threats. ASR, Microsoft claims, can block the underlying behavior of malicious documents (such as Office files with malicious macros or malware-laden emails attachments) without hindering productive scenarios.
“By blocking malicious behaviors independent of what the threat or exploit is, ASR can protect enterprises from never before seen zero-day attacks like the recently discovered CVE-2017-8759, CVE-2017-11292, and CVE-2017-11826,” the company says.
When it comes to Office apps, ASR can block them from creating executable content, from launching child processes, and from injecting into processes, but can also block Win32 imports from macro code in Office and prevent obfuscated macro code from executing.
For increased Network protection, Exploit Guard leverages data from ISG to vet, and if necessary block, all outbound connections before they are made, thus preventing malware to connect with a command-and-control server (C&C). The outbound network traffic is evaluated based on hostname and IP address-related reputation intelligence.
“Regardless if the outbound call is to phishing, socially engineered malware, or a C&C website, or if the call originates from a browser or a background process, network protection can intercept and kill the connection. These filtering capabilities can also augment and work in concert with similar protection capabilities from others security solutions, browsers, etc,” Microsoft notes.
Controlled folder access, first included in Windows 10 in Insider Preview Build 16232, was meant to monitor the changes applications make to files located in certain protected folders. It can lock down critical folders and allow only authorized apps to access them.
Thus, unauthorized apps, malicious and suspicious executable files, DLLs, scripts, and other programs will be denied access to the protected folders. This should prevent the encryption of files by ransomware, which usually target precious data such as documents, precious photos and videos, and other important files.
“By default, Controlled folder access protects common folders where documents and other important data are stored, but it’s also flexible. You can add additional folders to protect, including those on other drives. You can also allow apps that you trust to access protected folders, so if you’re using unique or custom app, your normal everyday productivity will be not affected,” Microsoft explains.
The exploit protection included in Windows Defender Exploit Guard, the company notes, represents a suite of vulnerability mitigation and hardening techniques that have been built directly into Windows 10. These represent the former EMET and are automatically configured and applied on the machines installing Windows 10 Fall Creators Update.
“To make the process of migrating to Exploit Protection and Windows Defender Exploit Guard easier, there is a PowerShell module that converts EMET XML settings files into Windows 10 mitigation policies for Exploit Guard. This PowerShell module also provides an additional interface for Windows Defender Security Center to configure its mitigation settings,” Microsoft says.
Management of the Windows Defender Exploit Guard components can be performed through Group Policy (GP), System Center Configuration Manager (SCCM), and Mobile Device Management (MDM) such as Microsoft Intune, the company reveals. Exploit Guard is also present in the Security Analytics dashboard of the Windows Defender ATP console.