You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/attack-surface-reduction.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -16,7 +16,7 @@ ms.collection:
16
16
- tier2
17
17
- mde-asr
18
18
search.appverid: met150
19
-
ms.date: 02/04/2025
19
+
ms.date: 03/28/2025
20
20
---
21
21
22
22
# Attack surface reduction rules overview
@@ -79,7 +79,7 @@ For information about configuring per-rule exclusions, see the section titled **
79
79
80
80
## Warn mode for users
81
81
82
-
Whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. When a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes.
82
+
Whenever an attack surface reduction rule blocks content, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. When a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes.
83
83
84
84
Warn mode helps your organization have attack surface reduction rules in place without preventing users from accessing the content they need to perform their tasks.
85
85
@@ -93,12 +93,12 @@ Warn mode is supported on devices running the following versions of Windows:
93
93
94
94
Microsoft Defender Antivirus must be running with real-time protection in [Active mode](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state).
95
95
96
-
Also, make sure [Microsoft Defender Antivirus and antimalware updates](/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#platform-and-engine-releases) are installed.
96
+
Also, make sure [Microsoft Defender Antivirus and anti-malware updates](/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#platform-and-engine-releases) are installed.
For more information and to get your updates, see [Update for Microsoft Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform).
101
+
For more information and to get your updates, see [Update for Microsoft Defender anti-malware platform](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform).
102
102
103
103
### Cases where warn mode isn't supported
104
104
@@ -124,7 +124,7 @@ For specific details about notification and alert functionality, see: [Per rule
124
124
125
125
You can use advanced hunting to view attack surface reduction events. To streamline the volume of incoming data, only unique processes for each hour are viewable with advanced hunting. The time of an attack surface reduction event is the first time that event is seen within the hour.
126
126
127
-
For example, suppose that an attack surface reduction event occurs on 10 devices during the 2:00 PM hour. Suppose that the first event occurred at 2:15, and the last at 2:45. With advanced hunting, you see one instance of that event (even though it actually occurred on 10 devices), and its timestamp will be 2:15 PM.
127
+
For example, suppose that an attack surface reduction event occurs on 10 devices during the 2:00 PM hour. Suppose that the first event occurred at 2:15, and the last at 2:45. With advanced hunting, you see one instance of that event (even though it actually occurred on 10 devices), and its timestamp is 2:15 PM.
128
128
129
129
For more information about advanced hunting, see [Proactively hunt for threats with advanced hunting](/defender-xdr/advanced-hunting-overview).
130
130
@@ -188,7 +188,7 @@ You can create a custom view that filters events to only show the following even
188
188
|1121|Event when rule fires in Block-mode|
189
189
|1122|Event when rule fires in Audit-mode|
190
190
191
-
The "engine version" listed for attack surface reduction events in the event log, is generated by Defender for Endpoint, not by the operating system. Defender for Endpoint is integrated with Windows 10 and Windows 11, so this feature works on all devices with Windows 10 or Windows 11 installed.
191
+
Defender for Endpoint generates the "engine version" that's listed in the event log for attack surface reduction. The operating system doesn't generate this version. Defender for Endpoint is integrated with Windows 10 and Windows 11, so this feature works on all devices with Windows 10 or Windows 11 installed.
0 commit comments