Details

This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com):

Executable files (such as .exe, .dll, or .scr)

Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)

Script archive files

Solution

Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Windows Defender Exploit Guard -> Attack Surface Reduction -> ‘Configure Attack Surface Reduction rules’ to ‘Enabled’. Click ‘Show…’. Set the Value name to ‘BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550’ and the Value to ‘1’.

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Defender_Antivirus_V2R3_STIG.ziphttps://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Defender_Antivirus_V2R3_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Windows.

References

• 800-53|SC-18(4)
• CAT|II
• CCI|CCI-001170
• Rule-ID|SV-213456r569189_rule
• STIG-ID|WNDF-AV-000032
• STIG-Legacy|SV-92661
• STIG-Legacy|V-77965
• Vuln-ID|V-213456

Source

• Tenable.com/audits