Windows 10 New Feature: Windows Defender Exploit Guard

If you recall, Microsoft has a free security add-on tool called Enhanced Mitigation Experience Toolkit (EMET) that helps IT Professionals and users block attackers from gaining access to their systems through common attacks. It includes about 15 security mitigation technologies that complement other defense security applications, such as Windows Defender and other antivirus software. While it works relatively well, mitigating attacks on an application level, Microsoft has decided to end EMET on January 27, 2017. There will be no plans to offer support or security patching for EMET after July 13, 2018.

Quite sad for such an effective software. But once again, Microsoft has listened to the feedbacks from EMET customers and decided to migrate EMET directly into Windows with a new feature called Windows Defender Exploit Guard (WDEG) where you can audit, configure, and manage Windows system and application exploit mitigations right from the Windows Defender Security Center. The feature will be available will be available on every Windows 10 PC running the Fall Creators Update.

If you are Windows Insider, here is how you can start trying out WDEG today.

Open the Windows Defender Security Center by right-clicking the WDEG icon in the notification area on eh taskbar and clicking Open.

You can also search the Start menu for “Windows Defender Security Center” as well.

Then, click on App & browser control tab, the last second one on the left. The Exploit protection section is the last one on the right pane.

Click on Exploit protect settings to see the detail settings for exploit protection. There are six types of protections in place under System settings.

  • Control flow guard (CFG) – ensures control flow integrity for indirect calls.
  • Data Execution Prevention (DEP) – prevents code from being run from data-only memory pages.
  • Force randomization for images (Mandatory ASLR) – forces relocation of images not compiled with /DYNNAMICBASE.
  • Randomize memory allocations (Bottom-up ASLR)
  • Validate exception chains – ensures the integrity of an exception chain during dispatch.
  • Validate heap integrity – terminates a process when heap corruption is detected.

And of course, the same legacy app protections that EMET has are also available under Program settings. You will find all installed applications listed in there. Clicking on any one of them expands to two more options. The Edit menu is where you can find all the mitigations similar to EMET.

Note that to prevent possible compatibility, performance, and stability issues, Windows will automatically block or remove EMET on Windows 10 systems starting with Windows 10 Fall Creators Update.