C
Chan_437
Hello,
I have an issue with Exploit Protection configuration with Intune and Microsoft Advanced Threat Protection (ATP) as it is closing out our users Skype application. The reason it closes is because of the way our Skype call recorder is integrated into Skype. In the ATP portal it shows that lync.exe (Skype) is making an Exploit Address Filter (EAF) violation. I have tested this by uninstalling the call recorder and Skype runs fine but once the recorder is installed I get EAF violations in the ATP incident list and Skype no longer opens.
I found the setting to toggle in Windows Security settings > App and browser control > Exploit Protection > Program settings > lync.exe > Export address filtering > off. But once I apply this to the Intune policy XML it does not seem to take effect. XML config is at the bottom.
I have found three locations where Exploit Guard or Exploit Protection can be configured:
2) Endpoint security > Security Baseline > Windows 10 Security Baseline > properties > Exploit Guard > upload XML config file
3) Endpoint security > Attack surface reduction > Policy type: Exploit protection > upload XML config file
Am I missing another location to configure this?
I have uploaded the same XML file to the above three locations but it does not seem to overwrite the current XML configuration on my device or any user devices. I created the XML file by exporting my current Exploit Protection settings with Skype EAF to off.
This snippet of the XML with EnableExportAddressFilter="true" is what turns EAF for lync.exe on. I have tried setting it to false or removing the line altogether but neither work.
I am already working with MS on the issue but they are being very slow and I am trying to find a solution quickly. I am able to run the PS command
"Set-ProcessMitigation -Name lync.exe -Disable EnableExportAddressFilter,EnableExportAddressFilterPlus" but EAF for Skype gets reverted when the computer is rebooted.
Edited XML to only include lync.exe. This is what is currently uploaded. But once I upload and Sync my computer EAF stays on. I let it sit for 24 hours and it is still on.
<?xml version="1.0" encoding="UTF-8"?>
<MitigationPolicy>
<AppConfig Executable="lync.exe">
<DEP Enable="true" EmulateAtlThunks="false" />
<ASLR ForceRelocateImages="true" RequireInfo="false" />
<Payload EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" />
</AppConfig>
</MitigationPolicy>
XML with EAF on for lync.exe
<AppConfig Executable="LYNC.EXE">
<DEP Enable="true" EmulateAtlThunks="false" />
<ASLR ForceRelocateImages="true" RequireInfo="false" />
<Payload EnableExportAddressFilter="true" EnableExportAddressFilterPlus="true" EnableImportAddressFilter="true" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" />
</AppConfig>
Any ideas as to why EAF won't turn off?
Continue reading...
I have an issue with Exploit Protection configuration with Intune and Microsoft Advanced Threat Protection (ATP) as it is closing out our users Skype application. The reason it closes is because of the way our Skype call recorder is integrated into Skype. In the ATP portal it shows that lync.exe (Skype) is making an Exploit Address Filter (EAF) violation. I have tested this by uninstalling the call recorder and Skype runs fine but once the recorder is installed I get EAF violations in the ATP incident list and Skype no longer opens.
I found the setting to toggle in Windows Security settings > App and browser control > Exploit Protection > Program settings > lync.exe > Export address filtering > off. But once I apply this to the Intune policy XML it does not seem to take effect. XML config is at the bottom.
I have found three locations where Exploit Guard or Exploit Protection can be configured:
Devices > Configuration profiles > Endpoint protection policy > settings >MS Defender exploit guard > Exploit Protection > added XML config file
2) Endpoint security > Security Baseline > Windows 10 Security Baseline > properties > Exploit Guard > upload XML config file
3) Endpoint security > Attack surface reduction > Policy type: Exploit protection > upload XML config file
Am I missing another location to configure this?
I have uploaded the same XML file to the above three locations but it does not seem to overwrite the current XML configuration on my device or any user devices. I created the XML file by exporting my current Exploit Protection settings with Skype EAF to off.
This snippet of the XML with EnableExportAddressFilter="true" is what turns EAF for lync.exe on. I have tried setting it to false or removing the line altogether but neither work.
I am already working with MS on the issue but they are being very slow and I am trying to find a solution quickly. I am able to run the PS command
"Set-ProcessMitigation -Name lync.exe -Disable EnableExportAddressFilter,EnableExportAddressFilterPlus" but EAF for Skype gets reverted when the computer is rebooted.
Edited XML to only include lync.exe. This is what is currently uploaded. But once I upload and Sync my computer EAF stays on. I let it sit for 24 hours and it is still on.
<?xml version="1.0" encoding="UTF-8"?>
<MitigationPolicy>
<AppConfig Executable="lync.exe">
<DEP Enable="true" EmulateAtlThunks="false" />
<ASLR ForceRelocateImages="true" RequireInfo="false" />
<Payload EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" />
</AppConfig>
</MitigationPolicy>
XML with EAF on for lync.exe
<AppConfig Executable="LYNC.EXE">
<DEP Enable="true" EmulateAtlThunks="false" />
<ASLR ForceRelocateImages="true" RequireInfo="false" />
<Payload EnableExportAddressFilter="true" EnableExportAddressFilterPlus="true" EnableImportAddressFilter="true" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" />
</AppConfig>
Any ideas as to why EAF won't turn off?
Continue reading...