Windows Defender Exploit Guard runs all the security benefits necessary to keep intrusion threats at bay. A characteristic feature of this tool is ‘Exploit Protection’. It automatically applies to many exploit mitigation techniques. This capability can be tested inside the Windows Defender Security Center under App & browser control > Exploit protection. By accessing the Exploit protection settings, you can control system-wide settings and program-specific overrides. Let us learn how to configure, and manage Windows system and application exploit mitigations using Windows Defender Exploit Guard (WDEG).
Windows Defender Exploit Guard (WDEG)
Exploit Guard can be found in the Security Analytics dashboard of the Windows Defender ATP console. Its primary function is to enable enterprises to view how the feature is configured across their device and to drive compliance with recommendations based on best practice security configurations.
You can configure Windows Exploit Guard for,
- Attack surface reduction
- Exploit Protection
- Network Protection
- Controlled Folder Access
All the Windows Defender Exploit Guard components can be readily managed by
- Group Policy (GP)
- System Center Configuration Manager (SCCM)
- Mobile Device Management (MDM) such as Microsoft Intune.
These components can run in both Audit and Block modes. If any instance of malicious behavior is observed, when Block mode is enabled, Windows Defender Exploit Guard automatically blocks the event from occurring in real-time.
By default, Block events for Attack Surface Reduction, Controlled folder access, and Network Protection instantly display a toast notification in real-time as well as an event log that can be centrally viewed by security operations personnel in the Windows Defender Advanced Threat Protection (WD ATP) console.
The Audit Mode detects the possibility of an occurrence of an event if it would have occurred and conveys that information to the event log and WD ATP console. This helps enterprises customers to evaluate how a rule or feature within Windows Defender Exploit Guard would perform in their enterprise which in turn helps in the decision-making process of determining whether exclusions are required to set up.
Configure Windows Defender Exploit Guard for mitigations
While only a few mitigations can be applied at the operating system level. All mitigations can be configured for individual apps.
As always, you can set value for each of the mitigations to either on/off, or to their default value.
The default values are always specified in brackets at the ‘Use default’ option for each mitigation. In the screenshot provided below, the default for Data Execution Prevention is “On”.
By and large, the use of default configuration for each of the mitigation settings is advised for offering a base level of protection, especially for daily usage by home users. For Enterprise deployments, it is advisable to consider the protection features suitable to individual needs.
The best part about using Windows Defender Exploit Guard is that you can take advantage of its settings even if you’re running third-party antivirus.