You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/attack-surface-reduction-rules-reference.md
+20-19Lines changed: 20 additions & 19 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,15 +7,15 @@ ms.localizationpriority: medium
7
7
audience: ITPro
8
8
author: denisebmsft
9
9
ms.author: deniseb
10
-
ms.reviewer: sugamar, niwelton
10
+
ms.reviewer: sugamar, yongrhee
11
11
manager: deniseb
12
12
ms.custom: asr
13
13
ms.topic: reference
14
14
ms.collection:
15
15
- m365-security
16
16
- tier2
17
17
- mde-asr
18
-
ms.date: 09/07/2024
18
+
ms.date: 10/07/2024
19
19
search.appverid: met150
20
20
---
21
21
@@ -109,11 +109,11 @@ The following ASR rules DO NOT honor Microsoft Defender for Endpoint Indicators
109
109
The following table lists the supported operating systems for rules that are currently released to general availability. The rules are listed alphabetical order in this table.
110
110
111
111
> [!NOTE]
112
-
> Unless otherwise indicated, the minimum Windows 10 build is version 1709 (RS3, build 16299) or later; the minimum Windows Server build is version 1809 or later.
112
+
> Unless otherwise indicated, the minimum Windows10 build is version 1709 (RS3, build 16299) or later; the minimum WindowsServer build is version 1809 or later.
113
113
>
114
-
> Attack surface reduction rules in Windows Server 2012 R2 and Windows Server 2016 are available for devices onboarded using the modern unified solution package. For more information, see [New Windows Server 2012 R2 and 2016 functionality in the modern unified solution](configure-server-endpoints.md#functionality-in-the-modern-unified-solution).
114
+
> Attack surface reduction rules in WindowsServer2012R2 and WindowsServer2016 are available for devices onboarded using the modern unified solution package. For more information, see [New Windows Server 2012 R2 and 2016 functionality in the modern unified solution](configure-server-endpoints.md#functionality-in-the-modern-unified-solution).
|[Block abuse of exploited vulnerable signed drivers](#block-abuse-of-exploited-vulnerable-signed-drivers)| Y | Y | Y <br> version 1803 (Semi-Annual Enterprise Channel) or later | Y | Y |
119
119
|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes)| Y <br> version 1809 or later <sup>[[3](#fn1)]</sup> | Y | Y | Y | Y |
@@ -137,9 +137,9 @@ The following table lists the supported operating systems for rules that are cur
137
137
138
138
(<aid="fn1">1</a>) Refers to the modern unified solution for Windows Server 2012 and 2016. For more information, see [Onboard Windows Servers to the Defender for Endpoint service](configure-server-endpoints.md).
139
139
140
-
(<aid="fn1">2</a>) For Windows Server 2016 and Windows Server 2012 R2, the minimum required version of Microsoft Endpoint Configuration Manager is version 2111.
140
+
(<aid="fn1">2</a>) For WindowsServer 2016 and WindowsServer 2012R2, the minimum required version of Microsoft Endpoint Configuration Manager is version 2111.
141
141
142
-
(<aid="fn1">3</a>) Version and build number apply only to Windows 10.
142
+
(<aid="fn1">3</a>) Version and build number apply only to Windows10.
143
143
144
144
## ASR rules supported configuration management systems
145
145
@@ -180,31 +180,32 @@ Toast notifications are generated for all rules in Block mode. Rules in any othe
180
180
181
181
For rules with the "Rule State" specified:
182
182
183
-
- ASR rules with \<ASR Rule, Rule State\> combinations are used to surface alerts (toast notifications) on Microsoft Defender for Endpoint only for devices at cloud block level **High**. Devices not at High cloud block level won't generate alerts for any <ASR Rule, Rule State> combinations
184
-
- EDR alerts are generated for ASR rules in the specified states, for devices at cloud block level **High+**
183
+
- ASR rules with `\ASR Rule, Rule State\` combinations are used to surface alerts (toast notifications) on Microsoft Defender for Endpoint only for devices at cloud block level "High".
184
+
- Devices that not at the high cloud block level don't generate alerts for any `ASR Rule, Rule State` combinations
185
+
- EDR alerts are generated for ASR rules in the specified states, for devices at cloud block level "High+"
186
+
- Toast notifications occur in block mode only and for devices at cloud block level "High"
|||_Only for devices at cloud block level **High+**_|_In Block mode only_ and _only for devices at cloud block level **High**_|
188
+
| Rule name | Rule state | EDR alerts | Toast notifications |
189
+
|---|---|---|---|
189
190
|[Block abuse of exploited vulnerable signed drivers](#block-abuse-of-exploited-vulnerable-signed-drivers)|| N | Y |
190
191
|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes)| Block | Y | Y |
191
192
|[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes)|| N | Y |
192
-
|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem)|| N |Y|
193
+
|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem)|| N |N|
193
194
|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail)|| Y | Y |
194
195
|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion)|| N | Y |
195
-
|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts)| Audit \| Block | Y \| Y | N \| Y |
196
+
|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts)| Audit or Block | Y (in block mode) <br/>N (in audit mode) | Y (in block mode)|
196
197
|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content)| Block | Y | Y |
197
198
|[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content)|| N | Y |
198
199
|[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes)|| N | Y |
199
200
|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes)|| N | Y |
200
-
|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription)| Audit \| Block | Y \| Y | N \| Y |
201
+
|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription)| Audit or Block | Y (in block mode) <br/> N (in audit mode) | Y (in block mode) |
201
202
|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands)|| N | Y |
202
203
|[Block rebooting machine in Safe Mode (preview)](#block-rebooting-machine-in-safe-mode-preview)|| N | N |
203
-
|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb)| Audit \| Block | Y \| Y | N \| Y |
204
+
|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb)| Audit or Block | Y (in block mode) <br/> N (in audit mode) | Y (in block mode)|
204
205
|[Block use of copied or impersonated system tools (preview)](#block-use-of-copied-or-impersonated-system-tools-preview)|| N | N |
205
206
|[Block Webshell creation for Servers](#block-webshell-creation-for-servers)|| N | N |
206
207
|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros)|| N | Y |
207
-
|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware)| Audit \| Block | Y \| Y | N \| Y |
208
+
|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware)| Audit or Block | Y (in block mode) <br/> N (in audit mode) | Y (in block mode)|
208
209
209
210
## ASR rule to GUID matrix
210
211
@@ -239,9 +240,9 @@ For rules with the "Rule State" specified:
239
240
240
241
_Warn mode_ is a block-mode type that alerts users about potentially risky actions. Users can choose to bypass the block warning message and allow the underlying action. Users can select **OK** to enforce the block, or select the bypass option - **Unblock** - through the end-user pop-up toast notification that is generated at the time of the block. After the warning is unblocked, the operation is allowed until the next time the warning message occurs, at which time the end-user will need to reperform the action.
241
242
242
-
When the allow button is clicked, the block is suppressed for 24 hours. After 24 hours, the end-user will need to allow the block again. The warn mode for ASR rules is only supported for RS5+ (1809+) devices. If bypass is assigned to ASR rules on devices with older versions, the rule will be in blocked mode.
243
+
When the allow button is clicked, the block is suppressed for 24 hours. After 24 hours, the end-user will need to allow the block again. The warn mode for ASR rules is only supported for RS5+ (1809+) devices. If bypass is assigned to ASR rules on devices with older versions, the rule is in blocked mode.
243
244
244
-
You can also set a rule in warn mode via PowerShell by specifying the AttackSurfaceReductionRules_Actions as "Warn". For example:
245
+
You can also set a rule in warn mode via PowerShell by specifying the `AttackSurfaceReductionRules_Actions` as "Warn". For example:
0 commit comments