{
	"id": "ee87748a-9ef5-47cb-8d4a-58172e457663",
	"created_at": "2026-04-06T00:13:58.817611Z",
	"updated_at": "2026-04-10T13:12:57.762771Z",
	"deleted_at": null,
	"sha1_hash": "a9053f4707ab237cf6b709ae3804c20ff94db609",
	"title": "Use attack surface reduction rules to prevent malware infection - Microsoft Defender for Endpoint",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 190598,
	"plain_text": "Use attack surface reduction rules to prevent malware infection -\r\nMicrosoft Defender for Endpoint\r\nBy limwainstein\r\nArchived: 2026-04-05 18:22:20 UTC\r\nWhy attack surface reduction rules are important\r\nYour organization's attack surface includes all the places where an attacker could compromise your organization's\r\ndevices or networks. Reducing your attack surface means protecting your organization's devices and network,\r\nwhich leaves attackers with fewer ways to perform attacks. Configuring attack surface reduction rules in\r\nMicrosoft Defender for Endpoint can help!\r\nAttack surface reduction rules target certain software behaviors, such as:\r\nLaunching executable files and scripts that attempt to download or run files\r\nRunning obfuscated or otherwise suspicious scripts\r\nPerforming behaviors that apps don't usually initiate during normal day-to-day work\r\nSuch software behaviors are sometimes seen in legitimate applications. However, these behaviors are often\r\nconsidered risky because they're commonly abused by attackers through malware. Attack surface reduction rules\r\ncan constrain software-based risky behaviors and help keep your organization safe.\r\nFor a sequential, end-to-end process of how to manage attack surface reduction rules, see:\r\nAttack surface reduction rules deployment overview\r\nPlan attack surface reduction rules deployment\r\nTest attack surface reduction rules\r\nEnable attack surface reduction rules\r\nOperationalize attack surface reduction rules\r\nPrerequisites\r\nSupported operating systems\r\nWindows\r\nAssess rules before deployment\r\nYou can assess how an attack surface reduction rule might affect your network by opening the security\r\nrecommendation for that rule in Microsoft Defender Vulnerability Management.\r\nhttps://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction\r\nPage 1 of 6\n\nIn the recommendation details pane, check for user impact to determine what percentage of your devices can\r\naccept a new policy enabling the rule in blocking mode without adversely affecting productivity.\r\nSee Requirements in the \"Enable attack surface reduction rules\" article for information about supported operating\r\nsystems and other requirement information.\r\nAudit mode for evaluation\r\nAudit mode\r\nUse audit mode to evaluate how attack surface reduction rules would affect your organization if enabled. Run all\r\nrules in audit mode first so you can understand how they affect your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they might perform tasks in ways that seem\r\nsimilar to malware.\r\nExclusions\r\nBy monitoring audit data and adding exclusions for necessary applications, you can deploy attack surface\r\nreduction rules without reducing productivity.\r\nPer-rule exclusions\r\nFor information about configuring per-rule exclusions, see Configure attack surface reduction per-rule exclusions.\r\nWarn mode for users\r\nWhenever an attack surface reduction rule blocks content, users see a dialog box that indicates the content is\r\nblocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action,\r\nand the operation completes. When a user unblocks content, the content remains unblocked for 24 hours, and then\r\nblocking resumes.\r\nhttps://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction\r\nPage 2 of 6\n\nWarn mode helps your organization have attack surface reduction rules in place without preventing users from\r\naccessing the content they need to perform their tasks.\r\nRequirements for warn mode to work\r\nWarn mode is supported on devices running the following versions of Windows:\r\nWindows 10, version 1809 or later\r\nWindows 11\r\nWindows Server, version 1809 or later\r\nMicrosoft Defender Antivirus must be running with real-time protection in Active mode.\r\nAlso, make sure Microsoft Defender Antivirus and anti-malware updates are installed.\r\nMinimum platform release requirement: 4.18.2008.9\r\nMinimum engine release requirement: 1.1.17400.5\r\nFor more information and to get your updates, see Update for Microsoft Defender anti-malware platform.\r\nCases where warn mode isn't supported\r\nWarn mode isn't supported for three attack surface reduction rules when you configure them in Microsoft Intune.\r\n(If you use Group Policy to configure your attack surface reduction rules, warn mode is supported.) The three\r\nrules that don't support warn mode when you configure them in Microsoft Intune are as follows:\r\nBlock JavaScript or VBScript from launching downloaded executable content (GUID d3e037e1-3eb8-\r\n44c8-a917-57927947596d )\r\nBlock persistence through WMI event subscription (GUID e6db77e5-3df2-4cf1-b95a-636979351e5b )\r\nUse advanced protection against ransomware (GUID c1db55ab-c21a-4637-bb3f-a12568109d35 )\r\nAlso, warn mode isn't supported on devices running older versions of Windows. In those cases, attack surface\r\nreduction rules that are configured to run in warn mode runs in block mode.\r\nNotifications and alerts\r\nWhenever an attack surface reduction rule is triggered, a notification is displayed on the device. You can\r\ncustomize the notification with your company details and contact information.\r\nAlso, when certain attack surface reduction rules are triggered, alerts are generated.\r\nNotifications and any alerts that are generated can be viewed in the Microsoft Defender portal.\r\nFor specific details about notification and alert functionality, see: Per rule alert and notification details, in the\r\narticle Attack surface reduction rules reference.\r\nAdvanced hunting and attack surface reduction events\r\nhttps://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction\r\nPage 3 of 6\n\nYou can use advanced hunting to view attack surface reduction events. To streamline the volume of incoming\r\ndata, only unique processes for each hour are viewable with advanced hunting. The time of an attack surface\r\nreduction event is the first time that event is seen within the hour.\r\nFor example, suppose that an attack surface reduction event occurs on 10 devices during the 2:00 PM hour.\r\nSuppose that the first event occurred at 2:15, and the last at 2:45. With advanced hunting, you see one instance of\r\nthat event (even though it actually occurred on 10 devices), and its timestamp is 2:15 PM.\r\nFor more information about advanced hunting, see Proactively hunt for threats with advanced hunting.\r\nAttack surface reduction features across Windows versions\r\nYou can set attack surface reduction rules for devices that are running any of the following editions and versions\r\nof Windows:\r\nWindows 10 Pro, version 1709 or later\r\nWindows 10 Enterprise, version 1709 or later\r\nWindows 11 Pro, version 21H2 or later\r\nWindows 11 Enterprise, version 21H2 or later\r\nWindows Server, version 1803 (Semi-Annual Channel) or later\r\nWindows Server 2025\r\nWindows Server 2022\r\nWindows Server 2019\r\nWindows Server 2016\r\nWindows Server 2012 R2\r\nAzure Stack HCI OS, version 23H2 and later\r\nAlthough attack surface reduction rules don't require a Windows E5 license, if you have Windows E5, you get\r\nadvanced management capabilities. The advanced capabilities - available only in Windows E5 - include:S\r\nThe monitoring, analytics, and workflows available in Defender for Endpoint\r\nThe reporting and configuration capabilities in Microsoft Defender XDR.\r\nThese advanced capabilities aren't available with a Windows Professional or Windows E3 license. However, if you\r\ndo have those licenses, you can use Event Viewer and Microsoft Defender Antivirus logs to review your attack\r\nsurface reduction rule events.\r\nReview attack surface reduction events in the Microsoft Defender portal\r\nhttps://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction\r\nPage 4 of 6\n\nDefender for Endpoint provides detailed reporting for events and blocks as part of alert investigation scenarios.\r\nYou can query Defender for Endpoint data in Microsoft Defender XDR by using advanced hunting.\r\nHere's an example query:\r\nDeviceEvents\r\n| where ActionType startswith 'Asr'\r\nReview attack surface reduction events in Windows Event Viewer\r\nYou can review the Windows event log to view events generated by attack surface reduction rules:\r\n1. Download the Evaluation Package and extract the file cfa-events.xml to an easily accessible location on the\r\ndevice.\r\n2. Enter the words, Event Viewer, into the Start menu to open the Windows Event Viewer.\r\n3. Under Actions, select Import custom view....\r\n4. Select the file cfa-events.xml from where it was extracted. Alternatively, copy the XML directly.\r\n5. Select OK.\r\nYou can create a custom view that filters events to only show the following events, all of which are related\r\nto controlled folder access:\r\nEvent ID Description\r\n5007 Event when settings are changed\r\n1121 Event when rule fires in Block-mode\r\n1122 Event when rule fires in Audit-mode\r\nDefender for Endpoint generates the \"engine version\" that's listed in the event log for attack surface reduction. The\r\noperating system doesn't generate this version. Defender for Endpoint is integrated with Windows 10 and\r\nWindows 11, so this feature works on all devices with Windows 10 or Windows 11 installed.\r\nSee also\r\nAttack surface reduction rules deployment overview\r\nPlan attack surface reduction rules deployment\r\nTest attack surface reduction rules\r\nEnable attack surface reduction rules\r\nOperationalize attack surface reduction rules\r\nAttack surface reduction rules report\r\nhttps://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction\r\nPage 5 of 6\n\nExclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus\r\nSource: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction\r\nhttps://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction"
	],
	"report_names": [
		"attack-surface-reduction"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434438,
	"ts_updated_at": 1775826777,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a9053f4707ab237cf6b709ae3804c20ff94db609.pdf",
		"text": "https://archive.orkl.eu/a9053f4707ab237cf6b709ae3804c20ff94db609.txt",
		"img": "https://archive.orkl.eu/a9053f4707ab237cf6b709ae3804c20ff94db609.jpg"
	}
}