| title | description | ms.service | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.custom | ms.topic | ms.subservice | search.appverid | ms.date | |||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Optimize ASR rule deployment and detections |
Optimize your attack surface reduction rules to identify and prevent typical malware exploits. |
defender-endpoint |
deniseb |
denisebmsft |
medium |
deniseb |
ITPro |
|
admindeeplinkDEFENDER |
conceptual |
asr |
met150 |
03/27/2025 |
[!INCLUDE Microsoft Defender XDR rebranding]
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
Want to experience Defender for Endpoint? Sign up for a free trial.
Attack surface reduction rules identify and prevent typical malware exploits. They control when and how potentially malicious code can run. For example, they can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, and block processes that run from USB drives.
:::image type="content" source="/defender/media/attack-surface-mgmt.png" alt-text="Attack surface management card" lightbox="/defender/media/attack-surface-mgmt.png":::
Attack surface management card
The Attack surface management card is an entry point to tools in the Microsoft Defender portal that you can use to:
- Understand how ASR rules are currently deployed in your organization.
- Review ASR detections and identify possible incorrect detections.
- Analyze the impact of exclusions and generate the list of file paths to exclude.
Select Go to attack surface management > Reports > Attack surface reduction rules > Add exclusions. From there, you can navigate to other sections of Microsoft Defender portal.
:::image type="content" source="media/secconmgmt-asr-m365exlusions.png" alt-text="Add exclusions tab in the Attack surface reduction rules page in the Microsoft Defender portal" lightbox="media/secconmgmt-asr-m365exlusions.png":::
The Add exclusions tab in the Attack surface reduction rules page in Microsoft Defender portal
Note
To access Microsoft Defender portal, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Microsoft Entra ID. Read about required licenses and permissions.
For more information about ASR rule deployment in the Microsoft Defender portal, see Optimize ASR rule deployment and detections.