Learn Editor: Update evaluate-exploit-protection.md

YongRhee-MSFT · YongRhee-MSFT · commit f100ea264289 · 2024-11-20T22:13:58.000-08:00
diff --git a/defender-endpoint/evaluate-exploit-protection.md b/defender-endpoint/evaluate-exploit-protection.md
@@ -55,6 +55,37 @@ Services
 - System services
 - Network services
 
+## Exploit Protection mitigations enabled by default
+
+| Mitigation | Enabled by default on |
+| -------- | -------- |
+| Data Execution Prevention (DEP) | 64-bit and 32-bit applications |
+| Validate exception chains (SEHOP) | 64-bit applications |
+| Validate heap integrity | 64-bit and 32-bit applications |
+
+## These "Program settings" mitigations are deprecated
+
+| “Program settings” mitigations | Reason |
+| -------- | -------- |
+| Export address filtering (EAF) | Application compatibility issues |
+| Import address filtering (IAF) | Application compatibility issues |
+| Simulate execution (SimExec) | Replaced with Arbitrary Code Guard (ACG) |
+| Validate API invocation (CallerCheck) | Replaced with Arbitrary Code Guard (ACG) |
+| Validate stack integrity (StackPivot) | Replaced with Arbitrary Code Guard (ACG) |
+
+## Office application best practices
+Instead of using Exploit Protection for Office applications such as Outlook, Word, Excel, PowerPoint, and OneNote, consider using a more modern approach to prevent their misuse: Attack Surface Reduction rules (ASR rules):
+•	[Block executable content from email client and webmail ](https://learn.microsoft.com/defender-endpoint/attack-surface-reduction-rules-reference#block-executable-content-from-email-client-and-webmail)
+•	[Block Office applications from creating executable content](https://learn.microsoft.com/defender-endpoint/attack-surface-reduction-rules-reference#block-office-applications-from-creating-executable-content)
+•	[Block all Office applications from creating child processes](https://learn.microsoft.com/defender-endpoint/attack-surface-reduction-rules-reference#block-all-office-applications-from-creating-child-processes)
+•	[Block Office communication application from creating child processes](https://learn.microsoft.com/defender-endpoint/attack-surface-reduction-rules-reference#block-office-communication-application-from-creating-child-processes)
+•	[Block Office applications from injecting code into other processes](https://learn.microsoft.com/defender-endpoint/attack-surface-reduction-rules-reference#block-office-applications-from-injecting-code-into-other-processes)
+•	[Block execution of potentially obfuscated scripts](https://learn.microsoft.com/defender-endpoint/attack-surface-reduction-rules-reference#block-execution-of-potentially-obfuscated-scripts)
+•	[Block Win32 API calls from Office macros](https://learn.microsoft.com/defender-endpoint/attack-surface-reduction-rules-reference#block-win32-api-calls-from-office-macros)
+
+The same for Adobe Reader, use ASR rules:
+•	[Block Adobe Reader from creating child processes](https://learn.microsoft.com/defender-endpoint/attack-surface-reduction-rules-reference#block-adobe-reader-from-creating-child-processes)
+
 ## Application compatibility list
 
 The following table lists specific products that have compatibility issues with the mitigations that are included in exploit protection. You must disable specific incompatible mitigations if you want to protect the product by using exploit protection. Be aware that this list takes into consideration the default settings for the latest versions of the product.  Compatibility issues can introduced when you apply certain add-ins or other components to the standard software.
@@ -69,7 +100,7 @@ The following table lists specific products that have compatibility issues with
 | DropBox   | EAF  |
 | Excel Power Query, Power View, Power Map and PowerPivot   | EAF  |
 | Google Chrome   | EAF+   |
-| Immidio Flex+   | Cell 4   |
+| Immidio Flex+   | EAF   |
 | Microsoft Office Web Components (OWC)   | System DEP=AlwaysOn  |
 | Microsoft PowerPoint   | EAF   |
 | Microsoft Teams   | EAF+   |
@@ -82,7 +113,37 @@ The following table lists specific products that have compatibility issues with
 
 ǂ EMET mitigations might be incompatible with Oracle Java when they're run by using settings that reserve a large chunk of memory for the virtual machine (that is, by using the -Xms option).
 
-## Enable exploit protection for testing
+## Enable exploit protection system settings for testing
+These Exploit Protection system settings are enabled by default in Windows 10 or later, or Windows Server 2019 or later, or Windows Server, version 1803 core edition or later.
+
+| System settings | Setting |
+| -------- | -------- |
+| Control flow guard (CFG) | Use default (On) |
+| Data Execution Prevention (DEP) | Use default (On) |
+| Force randomization for images (Mandatory ASRL) | Use default (On) |
+| Randomize memory allocations (Bottom-up ASRL) | Use default (On) |
+| High-entropy ASRL | Use default (On) |
+| Validate exception chains (SEHOP) | Use default (On) |
+
+The xml sample is available below
+
+```
+<?xml version="1.0" encoding="UTF-8"?>
+<MitigationPolicy>
+  <SystemConfig>
+    <DEP Enable="true" EmulateAtlThunks="false" />
+    <ASLR ForceRelocateImages="true" RequireInfo="false" BottomUp="true" HighEntropy="true" />
+    <ControlFlowGuard Enable="true" SuppressExports="false" />
+    <SEHOP Enable="true" TelemetryOnly="false" />
+    <Heap TerminateOnError="true" />
+  </SystemConfig>
+</MitigationPolicy>
+```
+
+## Enable exploit protection program settings for testing
+
+> [!TIP] 
+> We highly recommend to review the modern approach for vulnerability mitigations which is to use the [Attack Surface Reduction rules (ASR rules)](https://learn.microsoft.com/defender-endpoint/attack-surface-reduction) instead.
 
 You can set mitigations in a testing mode for specific programs by using the Windows Security app or Windows PowerShell.
 
