You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/customize-exploit-protection.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -33,7 +33,7 @@ Configure these settings using the Windows Security app on an individual device.
33
33
34
34
This article lists each of the mitigations available in exploit protection. It indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
35
35
36
-
It also describes how to enable or configure the mitigations using Windows Security, PowerShell, and mobile device management (MDM) configuration service providers (CSPs). This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating, exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md).
36
+
It also describes how to enable or configure the mitigations using Windows Security, PowerShell, and mobile device management (MDM) configuration service providers (CSPs). This configuration is the first step in creating a configuration that you can deploy across your network. The next step involves [generating, exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md).
37
37
38
38
> [!WARNING]
39
39
> Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](evaluate-exploit-protection.md) before deploying the configuration across a production environment or the rest of your network.
@@ -44,9 +44,9 @@ All mitigations can be configured for individual apps. Some mitigations can also
44
44
45
45
You can set each of the mitigations on, off, or to their default value. Some mitigations have more options that are indicated in the description in the table.
46
46
47
-
Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On".
47
+
Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On."
48
48
49
-
The **Use default** configuration for each of the mitigation settings indicates our recommendation for a base level of protection for everyday usage for home users. Enterprise deployments should consider the protection required for their individual needs and may need to modify configuration away from the defaults.
49
+
The **Use default** configuration for each of the mitigation settings indicates our recommendation for a base level of protection for everyday usage for home users. Enterprise deployments should consider the protection required for their individual needs and hence need to modify configuration away from the defaults.
50
50
51
51
For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this article.
52
52
@@ -56,7 +56,7 @@ For the associated PowerShell cmdlets for each mitigation, see the [PowerShell r
56
56
|Data Execution Prevention (DEP)|Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation.|System and app-level|No|
57
57
|Force randomization for images (Mandatory ASLR)|Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information.|System and app-level|No|
58
58
|Randomize memory allocations (Bottom-Up ASLR)|Randomizes locations for virtual memory allocations. It includes system structure heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes.|System and app-level|No|
59
-
|Validate exception chains (SEHOP)|Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications.|System and app-level|No|
59
+
|Validate exception chains (SEHOP)|Ensures the integrity of an exception chain during an exception dispatch. Only configurable for 32-bit (x86) applications.|System and app-level|No|
60
60
|Validate heap integrity|Terminates a process when heap corruption is detected.|System and app-level|No|
61
61
|Arbitrary code guard (ACG)|Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell).|App-level only|Yes|
62
62
|Block low integrity images|Prevents the loading of images marked with Low Integrity.|App-level only|Yes|
0 commit comments