Windows Defender ATP Attack Surface Reduction

Learn how to use ATP ASR rules on Windows Defender to significantly improve your security with a few basic rules

Microsoft has made big advances with the Windows Defender technology shipped on Windows 10 and Windows Server 2016.

One of the more important features is the Attack Surface Reduction Rules or ASR.

Each rule description indicates which apps or file types the rule applies to. In general, the rules for Office apps apply to only Word, Excel, PowerPoint, OneNote, or to Outlook.

Except where specified, attack surface reduction rules don't apply to any other Office apps.

Block executable content from email client and webmail

This rule blocks the following file types from launching from email in Microsoft Outlook or and other popular webmail providers:

  • Executable files (such as .exe, .dll, or .scr)
  • Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)

Block all Office applications from creating child processes

This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.

This is a typical malware behavior, especially malware that abuses Office as a vector, using VBA macros and exploit code to download and attempt to run additional payload. Some legitimate line-of-business applications might also use behaviors like this, including spawning a command prompt or using PowerShell to configure registry settings.

Block Office applications from creating executable content

This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content.

This rule targets a typical behavior where malware uses Office as a vector to break out of Office and save malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious code from being written to disk.

Block Office applications from injecting code into other processes

Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process. This rule blocks code injection attempts from Office apps into other processes. There are no known legitimate business purposes for using code injection.

This rule applies to Word, Excel, and PowerPoint.

Block JavaScript or VBScript from launching downloaded executable content

Malware often uses JavaScript and VBScript scripts to launch other malicious apps.

Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers. You can exclude scripts so they're allowed to run.

File and folder exclusions don't apply to this attack surface reduction rule

Block execution of potentially obfuscated scripts

Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. This rule detects suspicious properties within an obfuscated script.

Block Win32 API calls from Office macros

Office VBA provides the ability to use Win32 API calls, which malicious code can abuse. Most organizations don't use this functionality, but might still rely on using other macro capabilities. This rule allows you to prevent using Win32 APIs in VBA macros, which reduces the attack surface.

Block executable files from running unless they meet a prevalence, age, or trusted list criterion

This rule blocks the following file types from launching unless they either meet prevalence or age criteria, or they're in a trusted list or exclusion list:

  • Executable files (such as .exe, .dll, or .scr)

You must enable cloud protection to use this rule 

The rule Block executable files from running with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.

You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.

Use advanced protection against ransomware

This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or exclusion list.

You must enable cloud protection to use this rule.

Block credential stealing from the Windows local security authority subsystem (lsass.exe)

Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.


This rule can generate a lot of noise

In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log.

If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat. 

Block process creations originating from PSExec and WMI commands

This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.

File and folder exclusions do not apply to this attack surface reduction rule

Block untrusted and unsigned processes that run from USB

With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include:

  • Executable files (such as .exe, .dll, or .scr)
  • Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)

Block Office communication application from creating child processes

This rule prevents Outlook from creating child processes. It protects against social engineering attacks and prevents exploit code from abusing a vulnerability in Outlook. To achieve this, the rule prevents the launch of additional payload while still allowing legitimate Outlook functions. It also protects against Outlook rules and forms exploits that attackers can use when a user's credentials are compromised.

This rule applies to Outlook and 

Block Adobe Reader from creating child processes

Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes.

Block persistence through WMI event subscription

Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. With this rule, admins can prevent threats that abuse WMI to persist and stay hidden in WMI repository.