Disable EAF for firefox.exe as a part of the security baseline

%3CLINGO-SUB%20id%3D%22lingo-sub-1409608%22%20slang%3D%22en-US%22%3EDisable%20EAF%20for%20firefox.exe%20as%20a%20part%20of%20the%20security%20baseline%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1409608%22%20slang%3D%22en-US%22%3E%3CP%3EHi!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20working%20for%20Mozilla.%26nbsp%3B%20We%20have%20%3CA%20href%3D%22https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1509748%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ea%20case%3C%2FA%3E%20that%20Firefox%20does%20not%20launch%20because%20EAF%20is%20turned%20on%20for%20firefox.exe%20by%20the%20customer's%20corporate%20IT%20policy.%26nbsp%3B%20Since%20Firefox%20does%20not%20support%20EAF%2C%20what%20we%20can%20do%20is%20to%20ask%20customers%20to%20disable%20EAF%2C%20but%20they%20can't%20if%20they%20don't%20have%20admin%20rights.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20current%20security%20baseline%20contains%20a%20script%20to%20disable%20EAF%20for%20several%20executables%20such%20as%20onedrive.exe%20or%20acrord32.%26nbsp%3B%20Could%20you%20please%20add%20an%20entry%20to%20disable%20EAF%20for%20firefox.exe%20as%20well%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20also%20confirmed%20Chrome%20(chrome.exe)%20and%20the%20new%20MS%20Edge%20(msedge.exe)%20has%20the%20same%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EToshihito%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1411624%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20EAF%20for%20firefox.exe%20as%20a%20part%20of%20the%20security%20baseline%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1411624%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F676036%22%20target%3D%22_blank%22%3E%40tokikuch%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20could%20configure%20Exploit%20Protection%20%2C%20they%20way%20you%20want%20(like%20disable%20EAF%20for%20firefox.exe%20or%20other%20apps)%20and%20then%20export%20it%2C%20take%20a%20look%20at%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fimport-export-exploit-protection-emet-xml%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fimport-export-exploit-protection-emet-xml%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThen%20you%20may%20use%20number%20of%20ways%20like%20Group%20Policy%2C%20MEM%20%2C...%20to%20deploy%20policy%20and%20manage%20it%2C%20take%20a%20look%20at%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fenable-exploit-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fenable-exploit-protection%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1413530%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20EAF%20for%20firefox.exe%20as%20a%20part%20of%20the%20security%20baseline%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1413530%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F676036%22%20target%3D%22_blank%22%3E%40tokikuch%3C%2FA%3E%26nbsp%3Bfrom%20a%20security%20baseline%20perspective%20we%20would%20not%20make%20this%20change%20to%20our%20baseline%20as%20it%20appears%20this%20is%20something%20your%20local%20IT%20department%20changed.%26nbsp%3B%20The%20EP-reset.xml%20that%20we%20distribute%20resets%20the%20settings%20we%20originally%20had%20in%20EP.xml.%26nbsp%3B%20If%20you%20look%20in%20it%20(EP.xml)%20we%20do%20not%20mess%20with%20EAF%20for%20the%20ones%20you%20mention.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F13441%22%20target%3D%22_blank%22%3E%40Reza%20Ameri%3C%2FA%3E%26nbsp%3Bmentions%20below%20is%20your%20best%20bet.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1417983%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20EAF%20for%20firefox.exe%20as%20a%20part%20of%20the%20security%20baseline%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1417983%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F272514%22%20target%3D%22_blank%22%3E%40Rick_Munck%3C%2FA%3EOh%2C%20I%20see.%26nbsp%3B%20It%20means%20a%20previous%20baseline%20had%20enabled%20EAF%20for%20those%20applications%20like%20Adobe.%26nbsp%3B%20Thanks%20you%20for%20clarifying%20it!%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi!

 

I'm working for Mozilla.  We have a case that Firefox does not launch because EAF is turned on for firefox.exe by the customer's corporate IT policy.  Since Firefox does not support EAF, what we can do is to ask customers to disable EAF, but they can't if they don't have admin rights.

 

The current security baseline contains a script to disable EAF for several executables such as onedrive.exe or acrord32.  Could you please add an entry to disable EAF for firefox.exe as well?

 

I also confirmed Chrome (chrome.exe) and the new MS Edge (msedge.exe) has the same issue.

 

Thanks,

Toshihito

3 Replies

@tokikuch 

 

You could configure Exploit Protection , they way you want (like disable EAF for firefox.exe or other apps) and then export it, take a look at:

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/import-ex... 

 

Then you may use number of ways like Group Policy, MEM ,... to deploy policy and manage it, take a look at:

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-ex...

@tokikuch from a security baseline perspective we would not make this change to our baseline as it appears this is something your local IT department changed.  The EP-reset.xml that we distribute resets the settings we originally had in EP.xml.  If you look in it (EP.xml) we do not mess with EAF for the ones you mention. 

 

What @Reza_Ameri-Archived mentions below is your best bet.

@Rick_MunckOh, I see.  It means a previous baseline had enabled EAF for those applications like Adobe.  Thanks you for clarifying it!