Windows Defender Exploit Guard
Windows Defender Exploit Guard has four components designed to lock down the device against a wide variety of attack vectors and block behaviors commonly used in malware attacks, while enabling enterprises to balance their security risk and productivity requirements. The four components of Windows Defender Exploit Guard are Attack Surface Reduction (ASR), Network protection, Controlled folder access, and Exploit protection. Under this security enhancement, Controlled folder access is enabled and configured with specific Attack Surface Reduction rules.
Attack Surface Reduction
Block or detect attack techniques commonly used by attackers, such as preventing exploitation of vulnerabilities via common attack vectors (for example, exploiting macros, scripts and PowerShell attacks).
Rules
These are the suggested rules that will be enabled. More details about the rules reference can be found in the Microsoft documentation.
| Rule Name | Rule GUID |
|---|---|
| Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c |
| Block all Office applications from creating child processes | d4f940ab-401b-4efc-aadc-ad5f3c50688a |
| Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 |
| Block executable content from email client and webmail | be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 |
| Block execution of potentially obfuscated scripts | 5beb7efe-fd9a-4556-801d-275e5ffc04cc |
| Block JavaScript or VBScript from launching downloaded executable content | d3e037e1-3eb8-44c8-a917-57927947596d |
| Block Office applications from creating executable content | 3b576869-a4ec-4529-8536-b80a7769e899 |
| Block Office applications from injecting code into other processes | 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 |
| Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 |
| Block rebooting machine in Safe Mode (preview) | 33ddedf1-c6e0-47cb-833e-de6133960387 |
| Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 |
| Block Win32 API calls from Office macros | 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b |
Controlled Folder Access
Protect critical files and folders from ransomware and other malicious attacks. It prevents unauthorized apps and untrusted process from making changes to important files by restricting access to designated protected folders. More details about this component can be found in the Microsoft documentation.
Note
The prerequisite for having the security enhancements reflected as compliant with Windows Defender is that the Cloud Defender CSPM plan for Servers must be enabled.
Cost
The cost might vary and can be calculated on the Microsoft Defender for Cloud pricing page. It depends on the region and whether Microsoft Defender for Servers Plan 1 or 2 is selected. There is no additional cost for this feature, other than Defender.