Attack Surface Reduction Rules
We are using WithSecure Elements EPP for Computers Premium. We have also rolled out Attack Surface Reduction rules as per recommendations from Microsoft. We have a Powershell script to show & confirm that the settings are in ‘block’ mode. However when we run a test process to check each of the rules they are not getting blocked.
Does anyone know if there are any settings we can apply to the policies to ensure these rules are applied and the processes blocked. From what I understand Microsoft Defender does this but thought there must be settings that can be applied to other AV systems.
Sethu Laks Posts: 748 Moderator
Attack surface reduction rules target certain software behaviors, such as:
- Launching executable files and scripts that attempt to download or run files
- Running obfuscated or otherwise suspicious scripts
- Performing behaviors that apps don't usually initiate during normal day-to-day work
A similar feature of WithSecure Elements EPP for computers is DeepGuard, which provides behaviour-based and access control protection while monitoring applications to detect potentially harmful changes.
DataGuard monitors a set of folders for potentially harmful changes made by ransomware or other, similar harmful software.
Please check the links below on how to configure both DataGuard and DeepGuard: