Microsoft Defender AV must be configured to block Win32 imports from macro code in Office.

An XCCDF Rule

Description

<VulnDiscussion>This rule blocks potentially malicious behavior by not allowing macro code to execute routines in the Win 32 dynamic link library (DLL).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-213462r823093_rule
Severity: Medium
References: CCI-001170
Updated: about 1 year ago

Set the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> Windows Defender Exploit Guard >> Attack Surface Reduction >> "Configure Attack Surface Reduction rules" to "Enabled". 

Click "Show...". Set the Value name to "92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B" and the Value to "1".

Microsoft Defender AV must be configured to block Win32 imports from macro code in Office.

Description

Remediation - Manual Procedure