How Windows Defender’s New Exploit Protection Works (and How to Configure It)


Microsoft’s Fall Creators Update finally adds integrated exploit protection to Windows. You previously had to seek this out in the form of Microsoft’s EMET tool. It’s now part of Windows Defender and is activated by default.

How Windows Defender’s Exploit Protection Works

We’ve long recommended using anti-exploit software like Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) or the more user-friendly Malwarebytes Anti-Malware, which contains a powerful anti-exploit feature (among other things). Microsoft’s EMET is widely used on larger networks where it can be configured by system administrators, but it was never installed by default, requires configuration, and has a confusing interface for average users.

Typical antivirus programs, like Windows Defender itself, use virus definitions and heuristics to catch dangerous programs before they can run on your system. Anti-exploit tools actually prevent many popular attack techniques from functioning at all, so those dangerous programs don’t get on your system in the first place. They enable certain operating system protections and block common memory exploit techniques, so that if exploit-like behavior is detected, they’ll terminate the process before anything bad happens. In other words, they can protect against many zero-day attacks before they’re patched.

However, they could potentially cause compatibility problems, and their settings might have to be tweaked for different programs. That’s why EMET was generally used on enterprise networks, where system administrators could tweak the settings, and not on home PCs.

Windows Defender now includes many of these same protections, which were originally found in Microsoft’s EMET. They’re enabled by default for everyone, and are part of the operating system. Windows Defender automatically configures appropriate rules for different processes running on your system. (Malwarebytes still claims their anti-exploit feature is superior, and we still recommend using Malwarebytes, but it’s good that Windows Defender has some of this built-in now as well.)

This feature is automatically enabled if you’ve upgraded to Windows 10’s Fall Creators Update, and EMET is no longer supported. EMET can’t even be installed on PCs running the Fall Creators Update. If you already have EMET installed, it will be removed by the update.

Windows 10’s Fall Creators Update also includes a related security feature named Controlled Folder Access. It’s designed to stop malware by only allowing trusted programs to modify files in your personal data folders, like Documents and Pictures. Both features are part of “Windows Defender Exploit Guard”. However, Controlled Folder Access isn’t enabled by default.

How to Confirm Exploit Protection is Enabled

This feature is automatically enabled for all Windows 10 PCs. However, it can also be switched to “Audit mode”, allowing system administrators to monitor a log of what Exploit Protection would have done to confirm it won’t cause any problems before enabling it on critical PCs.

To confirm that this feature is enabled, you can open the Windows Defender Security Center. Open your Start menu, search for Windows Defender, and click the Windows Defender Security Center shortcut.

Click the window-shaped “App & browser…

Sasha Harriet

Sasha Harriet

As content editor, I get to do what I love everyday. Tweet, share and promote the best content our tools find on a daily basis.

I have a crazy passion for #music, #celebrity #news & #fashion! I'm always out and about on Twitter.
Sasha Harriet

More from Around the Web

Subscribe To Our Newsletter

Join our mailing list to receive the latest news from our network of site partners.

You have Successfully Subscribed!

Pin It on Pinterest