Merge pull request #1980 from MicrosoftDocs/main

publishing MDE urgent updates

Author: diannegali

defender-endpoint/evaluate-exploit-protection.md

@@ -15,7 +15,7 @@ ms.collection:
 - tier2
 - mde-asr
 search.appverid: met150
-ms.date: 11/15/2024
+ms.date: 11/21/2024
 ---
 
 # Evaluate exploit protection
@@ -37,7 +37,7 @@ In audit, you can see how mitigation works for certain apps in a test environmen
 
 Exploit protection mitigations work at a low level in the operating system, and some kinds of software that perform similar low-level operations might have compatibility issues when they're configured to be protected by using exploit protection.  
 
-#### What kinds of Software shouldn't be protected by exploit protection?
+#### What kinds of software shouldn't be protected by exploit protection?
 
 - Anti-malware and intrusion prevention or detection software
 - Debuggers
@@ -55,6 +55,40 @@ Services
 - System services
 - Network services
 
+## Exploit protection mitigations enabled by default
+
+| Mitigation | Enabled by default |
+| -------- | -------- |
+| Data Execution Prevention (DEP) | 64-bit and 32-bit applications |
+| Validate exception chains (SEHOP) | 64-bit applications |
+| Validate heap integrity | 64-bit and 32-bit applications |
+
+## Deprecated "Program settings" mitigations
+
+| “Program settings” mitigations | Reason |
+| -------- | -------- |
+| Export address filtering (EAF) | Application compatibility issues |
+| Import address filtering (IAF) | Application compatibility issues |
+| Simulate execution (SimExec) | Replaced with Arbitrary Code Guard (ACG) |
+| Validate API invocation (CallerCheck) | Replaced with Arbitrary Code Guard (ACG) |
+| Validate stack integrity (StackPivot) | Replaced with Arbitrary Code Guard (ACG) |
+
+## Office application best practices
+
+Instead of using Exploit Protection for Office applications such as Outlook, Word, Excel, PowerPoint, and OneNote, consider using a more modern approach to prevent their misuse: Attack Surface Reduction rules (ASR rules):
+
+- [Block executable content from email client and webmail ](attack-surface-reduction-rules-reference.md#block-executable-content-from-email-client-and-webmail)
+- [Block Office applications from creating executable content](attack-surface-reduction-rules-reference.md#block-office-applications-from-creating-executable-content)
+- [Block all Office applications from creating child processes](attack-surface-reduction-rules-reference.md#block-all-office-applications-from-creating-child-processes)
+- [Block Office communication application from creating child processes](attack-surface-reduction-rules-reference.md#block-office-communication-application-from-creating-child-processes)
+- [Block Office applications from injecting code into other processes](attack-surface-reduction-rules-reference.md#block-office-applications-from-injecting-code-into-other-processes)
+- [Block execution of potentially obfuscated scripts](attack-surface-reduction-rules-reference.md#block-execution-of-potentially-obfuscated-scripts)
+- [Block Win32 API calls from Office macros](attack-surface-reduction-rules-reference.md#block-win32-api-calls-from-office-macros)
+
+For Adobe Reader use the following ASR rule:
+
+•	[Block Adobe Reader from creating child processes](attack-surface-reduction-rules-reference.md#block-adobe-reader-from-creating-child-processes)
+
 ## Application compatibility list
 
 The following table lists specific products that have compatibility issues with the mitigations that are included in exploit protection. You must disable specific incompatible mitigations if you want to protect the product by using exploit protection. Be aware that this list takes into consideration the default settings for the latest versions of the product.  Compatibility issues can introduced when you apply certain add-ins or other components to the standard software.
@@ -69,7 +103,7 @@ The following table lists specific products that have compatibility issues with
 | DropBox   | EAF  |
 | Excel Power Query, Power View, Power Map and PowerPivot   | EAF  |
 | Google Chrome   | EAF+   |
-| Immidio Flex+   | Cell 4   |
+| Immidio Flex+   | EAF   |
 | Microsoft Office Web Components (OWC)   | System DEP=AlwaysOn  |
 | Microsoft PowerPoint   | EAF   |
 | Microsoft Teams   | EAF+   |
@@ -82,7 +116,38 @@ The following table lists specific products that have compatibility issues with
 
 ǂ EMET mitigations might be incompatible with Oracle Java when they're run by using settings that reserve a large chunk of memory for the virtual machine (that is, by using the -Xms option).
 
-## Enable exploit protection for testing
+## Enable exploit protection system settings for testing
+
+These Exploit Protection system settings are enabled by default on Windows 10 and later, Windows Server 2019 and later, and on Windows Server version 1803 core edition and later.
+
+| System settings | Setting |
+| -------- | -------- |
+| Control flow guard (CFG) | Use default (On) |
+| Data Execution Prevention (DEP) | Use default (On) |
+| Force randomization for images (Mandatory ASRL) | Use default (On) |
+| Randomize memory allocations (Bottom-up ASRL) | Use default (On) |
+| High-entropy ASRL | Use default (On) |
+| Validate exception chains (SEHOP) | Use default (On) |
+
+The xml sample is available below
+
+```
+<?xml version="1.0" encoding="UTF-8"?>
+<MitigationPolicy>
+  <SystemConfig>
+    <DEP Enable="true" EmulateAtlThunks="false" />
+    <ASLR ForceRelocateImages="true" RequireInfo="false" BottomUp="true" HighEntropy="true" />
+    <ControlFlowGuard Enable="true" SuppressExports="false" />
+    <SEHOP Enable="true" TelemetryOnly="false" />
+    <Heap TerminateOnError="true" />
+  </SystemConfig>
+</MitigationPolicy>
+```
+
+## Enable exploit protection program settings for testing
+
+> [!TIP] 
+> We highly recommend reviewing the modern approach for vulnerability mitigations, which is to use [Attack Surface Reduction rules (ASR rules)](attack-surface-reduction.md).
 
 You can set mitigations in a testing mode for specific programs by using the Windows Security app or Windows PowerShell.