How Deploy Exploits Protection Policy in Defender
Exploit protection monitors how applications behave in memory and blocks malicious techniques attackers use to take control of a system, such as:
- Code injection
- Memory corruption
- Privilege escalation
- Bypassing security controls
Exploit Protection Components.
Exploits protection apply on all operating system.
- DEP (Data Execution Prevention) – stops code from running in non‑executable memory
- ASR/ASLR (Address Space Layout Randomization) – makes memory locations unpredictable
- SEHOP – prevents structured exception handler attacks
Program (App‑specific) Mitigations
Target specific applications that attackers frequently exploit.
Common protected apps:
- Browsers (Edge, Chrome)
- Microsoft Office apps
- Adobe Reader
- Java
- Line‑of‑business applications
Exploit Techniques Blocked
Exploit protection can stop attacks that use:
- Shellcode injection
- ROP (Return‑Oriented Programming)
- Heap corruption
- Untrusted fonts
- API tampering
Exploit Protection vs Antivirus
| Antivirus | Exploit Protection |
|---|---|
| Detects known malware | Stops exploit behavior |
| Signature‑based | Behavior & memory‑based |
| Reactive | Preventive |
| Needs malware file | Works without files |
Follow the below steps to create the exploit protection policy.
Login to Intune console.