Microsoft Defender AV must be configured block Office applications from creating child processes.

An XCCDF Rule

Description

<VulnDiscussion>Office apps, such as Word or Excel, will not be allowed to create child processes. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-213457r823083_rule
Severity: Medium
References: CCI-001170
Updated: about 1 year ago

Set the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> Windows Defender Exploit Guard >> Attack Surface Reduction >> "Configure Attack Surface Reduction rules" to "Enabled". 

Click "Show...". Set the Value name to "D4F940AB-401B-4EFC-AADC-AD5F3C50688A" and the Value to "1".

Microsoft Defender AV must be configured block Office applications from creating child processes.

Description

Remediation - Manual Procedure