Merge pull request #1909 from YongRhee-MSFT/docs-editor/evaluate-exploit-protection-1731688559

Update evaluate-exploit-protection.md

Author: denisebmsft

defender-endpoint/evaluate-exploit-protection.md

@@ -15,7 +15,7 @@ ms.collection:
 - tier2
 - mde-asr
 search.appverid: met150
-ms.date: 12/18/2020
+ms.date: 11/15/2024
 ---
 
 # Evaluate exploit protection
@@ -31,7 +31,56 @@ ms.date: 12/18/2020
 
 [Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices. Mitigation can be applied to either the operating system or to an individual app. Many of the features that were part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. (The EMET has reached its end of support.)
 
-In audit, you can see how mitigation works for certain apps in a test environment. This shows what *would* have happened if you enabled exploit protection in your production environment. This way, you can verify that exploit protection doesn't adversely affect your line-of-business apps, and see which suspicious or malicious events occur.
+In audit, you can see how mitigation works for certain apps in a test environment. This shows what *would* happen if you enable exploit protection in your production environment. This way, you can verify that exploit protection doesn't adversely affect your line-of-business apps, and see which suspicious or malicious events occur.
+
+## Generic guidelines
+
+Exploit protection mitigations work at a low level in the operating system, and some kinds of software that perform similar low-level operations might have compatibility issues when they're configured to be protected by using exploit protection.  
+
+#### What kinds of Software shouldn't be protected by exploit protection?
+
+- Anti-malware and intrusion prevention or detection software
+- Debuggers
+- Software that handles digital rights management (DRM) technologies (that is, video games)
+- Software that use anti-debugging, obfuscation, or hooking technologies
+
+#### What type of applications should you consider enabling exploit protection?
+
+Applications that receive or handle untrusted data.
+
+#### What type of processes are out of scope for exploit protection?
+
+Services
+
+- System services
+- Network services
+
+## Application compatibility list
+
+The following table lists specific products that have compatibility issues with the mitigations that are included in exploit protection. You must disable specific incompatible mitigations if you want to protect the product by using exploit protection. Be aware that this list takes into consideration the default settings for the latest versions of the product.  Compatibility issues can introduced when you apply certain add-ins or other components to the standard software.
+
+| Product | Exploit protection mitigation |
+| -------- | -------- |
+| .NET 2.0/3.5   | EAF/IAF   |
+| 7-Zip Console/GUI/File Manager   | EAF  |
+| AMD 62xx processors  | EAF   |
+| Avecto (Beyond Trust) Power Broker   | EAF, EAF+, Stack Pivot   |
+| Certain AMD (ATI) video drivers   | System ASLR=AlwaysOn   |
+| DropBox   | EAF  |
+| Excel Power Query, Power View, Power Map and PowerPivot   | EAF  |
+| Google Chrome   | EAF+   |
+| Immidio Flex+   | Cell 4   |
+| Microsoft Office Web Components (OWC)   | System DEP=AlwaysOn  |
+| Microsoft PowerPoint   | EAF   |
+| Microsoft Teams   | EAF+   |
+| Oracle Javaǂ  | Heapspray   |
+| Pitney Bowes Print Audit 6   | SimExecFlow  |
+| Siebel CRM version is 8.1.1.9  | SEHOP   |
+| Skype   | EAF  |
+| SolarWinds Syslogd Manager   | EAF  |
+| Windows Media Player   | MandatoryASLR, EAF|
+
+ǂ EMET mitigations might be incompatible with Oracle Java when they're run by using settings that reserve a large chunk of memory for the virtual machine (that is, by using the -Xms option).
 
 ## Enable exploit protection for testing
 
@@ -45,12 +94,14 @@ You can set mitigations in a testing mode for specific programs by using the Win
 
 3. Go to **Program settings** and choose the app you want to apply protection to:
 
-    1. If the app you want to configure is already listed, select it and then select **Edit**
-    2. If the app isn't listed at the top of the list select **Add program to customize**. Then, choose how you want to add the app.
-        - Use **Add by program name** to have the mitigation applied to any running process with that name. Specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
-        - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+   1. If the app you want to configure is already listed, select it and then select **Edit**.
+
+   2. If the app isn't listed at the top of the list select **Add program to customize**. Then, choose how you want to add the app.
 
-4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in test mode only. You'll be notified if you need to restart the process, app, or Windows.
+      - Use **Add by program name** to have the mitigation applied to any running process with that name. Specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+      - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+
+4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** applies the mitigation in test mode only. You're notified if you need to restart the process, app, or Windows.
 
 5. Repeat this procedure for all the apps and mitigations you want to configure. Select **Apply** when you're done setting up your configuration.
 
@@ -93,7 +144,7 @@ You can disable **audit mode** by replacing `-Enable` with `-Disable`.
 
 ## Review exploit protection audit events
 
-To review which apps would have been blocked, open Event Viewer and filter for the following events in the Security-Mitigations log.<br/><br/>
+To review which apps would be blocked, open Event Viewer and filter for the following events in the Security-Mitigations log.
 
 |Feature|Provider/source|Event ID|Description|
 |---|---|--|---|
@@ -110,4 +161,5 @@ To review which apps would have been blocked, open Event Viewer and filter for t
 - [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
 - [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
 - [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]