Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Windows 10 Exploit Guard Boosts Endpoint Defenses

Courtesy of the Windows Defender Exploit Guard that ships with Windows 10 Fall Creators Update, systems running Microsoft’s Windows 10 operating system can fend off emerging threats, Microsoft says.

Courtesy of the Windows Defender Exploit Guard that ships with Windows 10 Fall Creators Update, systems running Microsoft’s Windows 10 operating system can fend off emerging threats, Microsoft says.

In June this year, Microsoft revealed that Windows Defender Exploit Guard will make the Enhanced Mitigation Experience Toolkit (EMET) native to Windows 10, and that it would also provide users with additional vulnerability mitigations.

Taking advantage of Microsoft Intelligent Security Graph (ISG), the Exploit Guard was designed to protect organizations from advanced threats, including zero day exploits. The tool contains four components: Attack Surface Reduction, Network protection, Controlled folder access, and Exploit protection.

Attack Surface Reduction (ASR), which is inherited from EMET, is a set of controls providing enterprises with protection from getting infected with malware by blocking Office-, script-, and email-based threats. ASR, Microsoft claims, can block the underlying behavior of malicious documents (such as Office files with malicious macros or malware-laden emails attachments) without hindering productive scenarios.

“By blocking malicious behaviors independent of what the threat or exploit is, ASR can protect enterprises from never before seen zero-day attacks like the recently discovered CVE-2017-8759, CVE-2017-11292, and CVE-2017-11826,” the company says.

When it comes to Office apps, ASR can block them from creating executable content, from launching child processes, and from injecting into processes, but can also block Win32 imports from macro code in Office and prevent obfuscated macro code from executing.

It can also block JavaScript, VBScript, and PowerShell codes that have been obfuscated and can prevent scripts from executing payload downloaded from Internet, in addition to blocking the execution of executable content dropped from email (webmail/mail-client).

For increased Network protection, Exploit Guard leverages data from ISG to vet, and if necessary block, all outbound connections before they are made, thus preventing malware to connect with a command-and-control server (C&C). The outbound network traffic is evaluated based on hostname and IP address-related reputation intelligence.

“Regardless if the outbound call is to phishing, socially engineered malware, or a C&C website, or if the call originates from a browser or a background process, network protection can intercept and kill the connection. These filtering capabilities can also augment and work in concert with similar protection capabilities from others security solutions, browsers, etc,” Microsoft notes.

Controlled folder access, first included in Windows 10 in Insider Preview Build 16232, was meant to monitor the changes applications make to files located in certain protected folders. It can lock down critical folders and allow only authorized apps to access them.

Thus, unauthorized apps, malicious and suspicious executable files, DLLs, scripts, and other programs will be denied access to the protected folders. This should prevent the encryption of files by ransomware, which usually target precious data such as documents, precious photos and videos, and other important files.

“By default, Controlled folder access protects common folders where documents and other important data are stored, but it’s also flexible. You can add additional folders to protect, including those on other drives. You can also allow apps that you trust to access protected folders, so if you’re using unique or custom app, your normal everyday productivity will be not affected,” Microsoft explains.

The exploit protection included in Windows Defender Exploit Guard, the company notes, represents a suite of vulnerability mitigation and hardening techniques that have been built directly into Windows 10. These represent the former EMET and are automatically configured and applied on the machines installing Windows 10 Fall Creators Update.

“To make the process of migrating to Exploit Protection and Windows Defender Exploit Guard easier, there is a PowerShell module that converts EMET XML settings files into Windows 10 mitigation policies for Exploit Guard. This PowerShell module also provides an additional interface for Windows Defender Security Center to configure its mitigation settings,” Microsoft says.

Management of the Windows Defender Exploit Guard components can be performed through Group Policy (GP), System Center Configuration Manager (SCCM), and Mobile Device Management (MDM) such as Microsoft Intune, the company reveals. Exploit Guard is also present in the Security Analytics dashboard of the Windows Defender ATP console.

Related: Microsoft Tackles Ransomware with Controlled Folder Access

Related: Microsoft to Make EMET Native to Windows 10

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Endpoint Security

The Zero Day Dilemma

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Less than a week after patching critical security defects affecting multiple enterprise-facing products, VMware is warning that one of the flaws is being exploited...