Windows Defender: A Function That Reduces The Attack Surface

The Defender’s hidden function is called ASR, which allows you to reduce the attack points that attackers can use to load malicious code on Windows systems. We know that large companies are particularly prone to name changes that cause some confusion among users. Windows Defender is a system protection solution integrated into the various versions of the Microsoft operating system. 

Having already undergone a name change, Windows Defender is commonly associated with the Windows Security window in Windows 10 and Windows 11: it forms its interface. While the Windows Defender moniker remains ingrained in users’ memory, the integrated system protection solution has recently been renamed Microsoft Defender. 

From June 2022, the Redmond company began to use the expression Microsoft Defender to refer to the paid solution made available to Microsoft 365 subscribers that allows you to manage and defend a battery with a centralized (cloud-based) approach of devices. We have already seen that Microsoft Defender does not become paid: the version proposed by default in Windows 10, Windows 11, and Windows Server remains usable on the single system without paying any subscription fee.

Reduce Your Attack Surface With Defender ASR

A digital assault can take advantage of different flimsy parts inside an organization or an expert studio or exploit any delicacy committed at home. Assault focuses utilized by aggressors stay, for instance, malignant contents, executables, or macros implanted in Office reports. 

Other conceivable passages focused on the disease are internet browsers and broadly utilized programs, for example, Adobe Peruser, which experiences the ill effects of weaknesses occasionally fixed by designers yet which, sadly, can stay exploitable (because the client doesn’t introduce the restorative patches).

Notwithstanding the actions that framework overseers can take by appropriately arranging individual applications, Protector gives an extra layer of security. Office macros can be restrained with the assistance of Gathering Strategy, yet Protector decides that assist with lessening the assault surface assists with advancing the circumstance.

ASR or assault surface decrease ( Assault Surface Decrease ) is a system that packs the “opportunity of activity” of the different applications utilized in Windows, keeping a vicious cycle from taking advantage of them to cause harm and move horizontally by contaminating different gadgets associated with the nearby organization.

Assault surface decrease is remembered for paid items, like Safeguard for Endpoint, and is additionally essential for Windows 10, 11, and Windows Server. Be that as it may, a few standards still need to be upheld in more established working framework variants. The fundamental disservice of free Windows Protector is limited choices for overseeing ASR capacities and detailing limitations. 

By composing Windows Security in the working framework search box, you access an extremely improved design window that doesn’t permit you to design the way of behaving of Windows Safeguard or Microsoft Protector exhaustively, assuming you like.

The exceptionally intriguing viewpoint is that utilizing the Gathering Strategy Proofreader ( gpedit. MSc ) or PowerShell can enact the Windows Safeguard ASR security on Windows 10 and 11. To work on things and enact the guards for the decrease of the assault surface through the graphical point of interaction, we recommend that you continue as follows:

1. Download and install the free DefenderUI program – this graphical interface exposes all the advanced features of Windows Defender.
2. Start DefenderUI, then choose the Recommended security profile (the first in the list). Acting on the drop-down menu in the title bar, you can translate the program interface into Italian.
3. By clicking on the ASR Rules tab, you can verify that all the main protections have been enabled by reducing the attack surface.

DefenderUI must not remain running: since the application only makes some “behind the scenes” changes to the Windows Defender configuration; once everything is set, close the program. What protections does Windows Defender ASR offer?

Excellent software like DefenderUI helps you set a series of rules with a simple click:

1. Block executable files from running unless they meet a prevalence, age, or trusted list criteria 01443614-cd74-433a-b99e-2ecdc07bfc25 DISABLED
2. Prevent Microsoft Office components from creating child processes 26190899-1602-49e8-8b27-eb1d0a1ce869 ON
3. Prevent Office applications from creating executable content 3b576869-a4ec-4529-8536-b80a7769e899 ON
4. Block abuse of vulnerable signed drivers 56a863a9-875e-4185-98a7-b882c64b5ce5 SHOW WARNING
5. Block execution of potentially obfuscated scripts 5beb7efe-fd9a-4556-801d-275e5ffc04cc ENABLED.
6. Prevents Office applications from injecting code into other processes 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 ENABLED
7. Prevent Adobe Reader from creating child processes 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c ON
8. Block Win32 API calls from Office macros 92e97fa1-2edf-4476-bdd6-9dd0b4ddddc7b ENABLED.
9. Block credential theft from Windows LSASS subsystem 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 DISABLED.
10. Block untrusted and unsigned processes run from USB b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 ON
11. Block executable content from email clients and Webmail be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 ON
12. Use advanced ransomware protection c1db55ab-c21a-4637-bb3f-a12568109d35 ON
13. It uses client and cloud heuristics to determine if a file’s behavior is comparable to ransomware. Files already listed as harmless in the Microsoft cloud, files with a valid digital signature, and files that are so widespread that they are not considered ransomware are not blocked. The rule tends to err on excessive zeal for preventive purposes (it turns out to be rather severe).
14. Block creation of processes originating from PSExec and WMI commands d1e49aac-8f56-4280-b9ba-993a6d77406c DISABLED.
15. Block loading of JavaScript and VBScript code from downloaded executable content d3e037e1-3eb8-44c8-a917-57927947596d ENABLED
16. Prevents all Office applications from creating child processes d4f940ab-401b-4efc-AADC-ad5f3c50688a ENABLED
17. Block persistence by subscribing to WMI events e6db77e5-3df2-4cf1-b95a-636979351e5b ON

After clicking on the Recommended security profile in DefenderUI, Windows Defender is set up as mentioned above. DefenderUI automatically enables the rules in correspondence of which we have indicated ACTIVATED. The rule where SHOW WARNING appears causes Windows Defender to show an alert message but lets the user decide how to behave.

By opening a PowerShell window with administrator rights (press Windows+X then choose Windows PowerShell (administrator) or Terminal Admin ) and typing the following, you can check the settings applied by DefenderUI to each rule:

1. Get-MpPreference | Select-Object AttackSurface* -ExpandProperty AttackSurfaceReductionRules_Ids
2. Get-MpPreference | Select-Object AttackSurface* -ExpandProperty AttackSurfaceReductionRules_Actions

The long alphanumeric identifiers obtained with the first command correspond to the above ASR rules. System administrators can optionally set the various rules by hand using the following  command: Add-MpPreference -AttackSurfaceReductionRules_Ids identifier -AttackSurfaceReductionRules_Actions Enabled

Rather than the identifier, the long alphanumeric ID relating to the standard to be arranged should be shown, while Empowered can be supplanted with Crippled or Caution. More data can be found in the Microsoft report on Empowering Assault Surface Decrease Rules. 

By beginning the Windows Neighborhood Gathering Strategy Proofreader (press Windows+R then, at that point, type gpedit. MSc ), you can empower the different ASR rules by keeping an elective course. Click on PC Design, Managerial Formats, Windows Parts, Microsoft Protector Antivirus, Microsoft Safeguard Exploit Gatekeeper, and Assault Surface Decrease.

By double tapping on Design Assault Surface Region Decrease rules on the right board, on Empowered, and afterward on the Show button under the Worth name section, you can determine the alphanumeric identifiers recorded previously. In the Worth section, you should rather demonstrate 1 for Empowered, 0 for Impaired, and 6 for Caution.

Read Also: The Best Windows Offers: Where To Find Them