Microsoft announced that the Windows Defender Exploit Guard which is part of the Windows 10 Fall Creators Update is capable of preventing emerging threats.
A few months ago, Microsoft reported that Windows Defender Exploit Guard will make the Enhanced Mitigation Experience Toolkit (EMET) native to Windows 10, and would provide users with additional vulnerability mitigations.
The Windows 10 Exploit Guard was created to protect organizations from advanced threats, including zero day exploits. The tool features four components: Attack Surface Reduction, Network protection, Controlled folder access, and Exploit protection.
The Attack Surface Reduction (ASR) is a set of controls providing enterprises with protection from getting infected with malware by blocking Office-, script-, and email-based threats. According to Microsoft, ASR can block the underlying behavior of malicious documents (such as Office files with malicious macros or malware-laden emails attachments) without hindering productive scenarios.
“By blocking malicious behaviors independent of what the threat or exploit is, ASR can protect enterprises from never before seen zero-day attacks like the recently discovered CVE-2017-8759, CVE-2017-11292, and CVE-2017-11826,” Microsoft states.
Apart from blocking the Office apps from creating executable content, launching child processes, and injecting into processes, ASR can also block Win32 imports from macro code in Office and prevent obfuscated macro code from executing.
Additionally, ASR is capable of blocking JavaScript, VBScript, and PowerShell codes which have been obfuscated, and preventing scripts from executing payload downloaded from Internet, in addition to blocking the execution of executable content dropped from email.
To increase the Network protection, Exploit Guard leverages data from ISG to vet, and if necessary block, all outbound connections before they are made, thus preventing malware to connect with a command-and-control server (C&C). The outbound network traffic is evaluated based on hostname and IP address-related reputation intelligence.
The Controlled folder access was first included in Windows 10 in Insider Preview Build 16232, and was meant to monitor the changes applications make to files located in certain protected folders. Additionally, it is capable of locking down critical folders and allowing only authorized apps to access them.
Any unauthorized applications, malicious and suspicious executable files, DLLs, scripts, and other programs will be denied access to the protected folders. This should prevent the encryption of files by ransomware, which usually target precious data such as documents, photos and videos, and other important files.
“By default, Controlled folder access protects common folders where documents and other important data are stored, but it’s also flexible. You can add additional folders to protect, including those on other drives. You can also allow apps that you trust to access protected folders, so if you’re using unique or custom app, your normal everyday productivity will be not affected,” Microsoft says.
The Corporation also explains that the exploit protection included in Windows Defender Exploit Guard represents a suite of vulnerability mitigation and hardening techniques that have been built directly into Windows 10. These represent the former EMET and are automatically configured and applied on the machines installing Windows 10 Fall Creators Update.
“To make the process of migrating to Exploit Protection and Windows Defender Exploit Guard easier, there is a PowerShell module that converts EMET XML settings files into Windows 10 mitigation policies for Exploit Guard. This PowerShell module also provides an additional interface for Windows Defender Security Center to configure its mitigation settings,” Microsoft states.
