Network ProtectionControlled Folder AccessExploit ProtectionAttack Surface Reduction
One of the significant capability, as mentioned above, is Attack Surface Reduction, that guard against common actions of malicious software that execute itself on Windows 11/10 devices. Let us understand what Attack Surface reduction is and why it is so important.
Windows Defender Attack Surface Reduction feature
Emails and office applications are the most crucial part of any enterprise’s productivity. They are the easiest way for cyber attackers to enter their PCs and networks and install malware. Hackers can directly use office macros and scripts to perform exploits that operate entirely in memory and are often undetectable by traditional Antivirus scans. The worst thing is, that for malware to get an entry, it just takes the user to enable macros on a legitimate-looking Office file or to open an email attachment that can compromise the machine. This is where Attack Surface Reduction comes to the rescue.
Advantages of Attack Surface Reduction
Attack Surface Reduction offers a set of built-in intelligence that can block the underlying behaviors used by these malicious documents to execute without hindering productive scenarios. By blocking malicious behaviors, independent of the threat or exploit, Attack Surface Reduction can protect enterprises from never before seen zero-day attacks and balance their security risk and productivity requirements.
ASR covers three main behaviors:
For Office apps, the Attack Surface Reduction rule can:
Often malicious office macros can infect a PC by injecting and launching executables. Attack Surface Reduction can protect against this and also from DDEDownloader that has lately infected PCs across the World. This exploit uses the Dynamic Data Exchange popup in official documents to run a PowerShell downloader while creating a child process that the ASR rule efficiently blocks!
For the script, the Attack Surface Reduction rule can:
Block malicious JavaScript, VBScript, and PowerShell codes that have been obfuscatedBlock JavaScript and VBScript from executing payload downloaded from the internet
For email, ASR can:
Block execution of executable content dropped from email (webmail/mail-client)
Now a day, there has been a subsequent increase in spear-phishing, and even an employee’s personal emails are targeted. ASR enables enterprise administrators to apply file policies on personal email for both webmail & mail clients on company devices for protection from threats. Read: Remote Code Execution attacks and Prevention steps
How Attack Surface Reduction works
ASR works through rules that are identified by their unique rule ID. To configure the state or mode for each rule, they can be managed with the following:
Group PolicyPowerShellMDM CSPs
They can be used when only some rules are to be enabled or are to be enabled in individual mode. For any line of business applications running within your enterprise, there is the capability to customize file and folder-based exclusions if your applications include unusual behaviors that may be impacted by ASR detection. Attack Surface Reduction requires Windows Defender Antivirus to be the main AV and a real-time protection feature to be enabled. Windows 10 Security baseline suggests most of the rules in block mode mentioned above should be enabled to secure your devices from any threats! To know more, you may visit docs.microsoft.com.
