What is the New “Block Suspicious Behaviors” Feature in Windows 10?

July 27, 2018 |

greater than 10 minutes

Windows 10 Redstone 5 update is a significant release in the line of Windows upgrades. Microsoft has scheduled its launch for Fall, 2018.  We expect many new features and capabilities to arrive with it and the unique ability to block suspicious behaviors is one of them.

Although the operating system maker is yet to launch any build of this massive upgrade for ordinary users, Windows insiders have gotten access to it for quite some time now and have been testing it. The information contained in this guide is evidently drawn from the analysis that we have been able to conduct on it.

Therefore, there is still time for Microsoft to change something. In fact, they could decide to cancel it at the last moment and prevent it from being available in the final release. Do not bet on anything. To prepare for your system for the big upgrade, we recommend that you update all your device drivers, using Auslogics Driver Updater.

Click Update drivers to get the necessary drivers for your PC.

Important things to know about the Block Suspicious Behavior functionality

  • If you want to make use of the feature, you would have to turn it on yourself—by default, it is set to off. From its name, you could have figured out that the functionality should have a wide range of abilities regards what it does. Some of them are known well enough while some others we are yet to come to terms with.
  • Microsoft explained that the “Block Suspicious Behavior” feature is actually the same thing as the “Windows Defender Exploit Guard attack surface reduction technology” functionality. The name change had to happen because most users would probably have a hard time understanding what the latter was. Such a complication might discourage them from using it. The new description is easier on both people’s eyes and ears.
  • To be fair, the feature has already made its entrance some way back. Microsoft actually introduced it as one of the packages in the Windows 10 Fall Creators Update (which was announced on the 11th of May last year). Nevertheless, a fewer number of users than usual got to use it because it was available only on the Windows 10 Enterprise edition of the stated upgrade.
  • The major change involving this feature in the Redstone 5 update coming soon is that it will be available to all users regardless of what edition of iteration of Windows 10 their PC is running. Microsoft will present it as an option you can use in the Windows Security utility (the new name for Windows Defender in case you are wondering what this is).

What does Block Suspicious Behaviors do?

When you enable the feature in view, Windows will immediately begin to make use of some rules or guidelines that define the behavior of threats and how it should handle them.

When the rules are set, Windows is quickly able to disable features that a malicious item employs to do its work. Feel free to go through them. Subsequently, the stated setup undoubtedly helps to prevent your PC from falling into harm’s way due to the attack by malicious items.

All the rules outlined are there to ensure that a specific operation never gets carried out. We will look at a good number of them:

  • For example, the first rule “Block executable content from email client and webmail” prevents specific file types from being launched or run in email apps (like Microsoft Outlook) or web-based email (Gmail.com, outlook.com, and so on).

Here are some of the file formats we are referring to here: Executable files (those that have a .exe, .dll, or .scr extension); Script files (those that end with PowerShell .ps, VisualBasic .vbs); and others.

  • The next set of rules prevents Office apps from carrying out specific operations and for a good reason too.

When Windows prevents Office apps from creating child processes, malware will fail at their attempts to use them to launch or download malicious executables.

Similarly, if your system is set to stop Office applications from creating executable content, malicious add-ons and scripts or extensions used by the programs would become unable to develop or launch executable files.

Invariably, Windows will prevent Office apps from employing the suspicious extensions. The other rules for Office programs work in a way not so different from the ones we just described.

  • Other rules have nothing to do with the Office app. Some of them help Windows prevent the running of obfuscated scripts, block specific executable files from running when they fail to meet set criteria or list of conditions, allow the use of advanced techniques as form an extra layer of protection against malware, and so on.

The full list comprising of all the rules, their description, properties is available on the document that Microsoft contributors released on June 29 this year.

  • Now it is crucial for you to know that the Block Suspicious Behavior feature or the Attack Surface Reduction functionality forms part of the capabilities that the Windows Defender Exploit Guard utility brings. We understand that these terms are not precisely user-friendly, but we hope that you have grasped them well enough to differentiate one feature from the another just by seeing their names.
  • There are also others things which you must look out for like Exploit Protection, Network Protection, and Controlled Folder Access because they are the other vital functionalities available on the Windows Defender Exploit Guard program.

For example, Exploit Protection differs from the new Block Suspicious behavior in a good number of ways. From their names, you might think they do the same or a closely related job, but you could not be more wrong.

  • You can say they work together somehow though. However, we feel that Attack Surface Reduction fights out specific threats at a considerably higher level. This inference does not mean that Exploit Protection can afford not to pull its weight—it is too busy fighting against common memory exploit techniques which zero-day attacks employ most times. It works to kill any process that uses them as soon as possible.
  • Another difference between the functionalities we are comparing lies in how essential or necessary Microsoft deems them in making them available to users on the go. The operating system maker enables Exploit Protection by default on its OS while Attack Surface Protection is yet to be let into the exclusive clubs of already selected settings that ship with Windows. You never can tell when or how things might change soon though.

How to enable Block Suspicious Behaviors?

We have given you enough information on the scope of the feature;  we gave you a reasonable description of how it works, and we have spoilt you with other vital details. Now it is time we moved on to show you how you can enable it.

Well, if you are reading this, we would like to assume that you are using the insider build. Therefore, you can make light work of the steps below and test out the feature.

On the other hand, if you are not a Windows insider, then you would have to wait until fall when Microsoft eventually releases it for use to every user with a PC running Windows 10. You can always keep the instructions at the back of your mind. Even if you do forget the steps, you can always return to this guide when the need arises.

  • Launch the Windows Security app. You should find its shortcut from the items available on the Windows Start menu or one of the icons on your taskbar. Click on it to open the program. If you are successful with this act, then you must move on to the third step directly.

(Note that if you could not launch the app because the object you searched for was missing, then you must continue with the instructions below).

We earlier established that the Block Suspicious feature is part of the functionality available on the Windows Security application (or the Windows Defender app if we are to go by its old name) whose settings we are used to accessing from the Settings program. Thus, you know what app you need to launch to begin the process

Press the Windows button on your keyboard or click on the Windows Start icon always present on your desktop screen. From the list of programs and options that show up, you must select Settings to open the needed app

  • After Windows launches the program window, you have to click on Update and Security to open its menu. There, you will see Windows Security, which you must click on now. Click on the Open Windows Security button
  • The Windows Security program window should show up now. Click on the Virus and Threat protection option (its icon). Under the Virus and Threat Protection settings, you will see the Manage settings link. Click on it
  • On the next screen, you should finally see Block Suspicious Behaviors. Toggle it on. A small dialog box or window from User Account Control might pop up requesting confirmation for the operation you initiated. Click on the Yes button there to confirm. Windows should enable the functionality in view almost immediately. You are good to go now.

(Note that if you do not see the feature in your final destination, then you are probably not running a version or iteration of Windows that supports it).

How to enable the Block Suspicious Behaviour functionality through the Registry Editor program

If for some reason things do not go the way we expect when you follow the instructions above, then you can bypass program menus or configurations to enable the Block Suspicious Feature through a different method.

Here, you are going to do some work on the registry, so we would like to assume that you really know what you are doing as operations on this critical system components must be carried out with superb precision and extreme accuracy. There is just no room for error here. Make a backup of your registry if you are not so sure of yourself.

Once you are ready, you have to go through these steps:

  • Open the Registry Editor app. You can do this through numerous methods, but we prefer you used this one as it is one the fastest ways we know: First, you must open the Run app by pressing the Windows button on your keyboard, then tapping the letter R key.

After the small program window shows up, you must input the following code into the text field present there and hit the Enter key to run it at once:


A dialog box or small window from User Account Control might come up to seek confirmation for your action. Click on the Yes button there to confirm and continue

  • After the Registry Editor program window appears, you have to navigate through the following items or entries:HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows Defender \ Windows Defender Exploit Guard \ ASR
  • Right-click on the ASR key (the item in your final destination), and select Permissions from the short menu list. After the Permissions dialog box comes up, you must click on the Advanced button there
  • On the Advanced Security Settings for ASR program window, you must click on the Change link that appears beside the name of the PC’s owner (user account). A dialog box or small window should come up. In the text field for Enter the object name to select, you must input the following keyword: administrator

The action you just carried out will ensure that the account in view exists on your PC

  • Now it is time you returned to the Advanced Security Settings for ASR program window. There, you must tick the checkbox for Replace owner on subcontainers and objects. Click on the Apply button
  • Click on the OK button to save the changes you just made. Now you have just acquired the ownership of the key for your administrator account. You must open the Permissions for ASR dialog box. Click on the Administrator account there to select and highlight it
  • Under the Permission for Administrators, you must tick the checkbox for Full Control (Allow). Click on OK to save the changes you just carried out. Return to the Registry Editor program window and continue your work there with the steps below
  • On the right for the ASR key, you must double-click on the DWORD value EnableASRConsumers. The Edit DWORD (32-bit) Value window should show up now. You have to input 1 in the field for Value data to enable the Block Suspicious Behavior functionality

(If you ever decide to disable it in the future, you must return to this window to perform an edit. You will alter the value from 1 to 0)

If you could not find the needed DWORD value, then you have to create it: Once you are at the location where you want the entry to be, you have to move your cursor to the right pane and right-click on any point void of objects or icons (space which is empty). From the short menu list that appears, you must select DWORD 32-bit Value since that is what you need in this scenario.

Right-click on the newly created DWORD value and change its name to EnableASRConsumers, double-click on it and input 1 to enable the Block Suspicious Behavior feature, and so on.

  • Close all the program windows you opened and restart your system.

Final words

If you notice that the Block Suspicious Behaviors functionality is overreaching and blocking stuff it is not meant to disturb (like a decisive action you authorized), then you can always return to the same spot in the Windows Security program to disable it.

If you ever have to turn it off, we recommend that you do not make the change a permanent one. You must turn it on later. After all, the feature gets it wrong with the blockage of only a small percentage of non-harmful actions. Its overreaching tendencies (if they actually exist at all) are those that rarely come into play.

Since you care so much about the new functionalities and features that will be available on the new Windows Security utility in the next Windows 10 upgrade, we can safely claim that protection of your system against threats is an essential concern for you. Therefore, we recommend that you download and run Auslogics Anti-Malware to take your security setup to a considerably higher level.

Wait until the scan is complete.

We know that most users often employ the services of a third-party antivirus program regardless of the presence of the security program that Microsoft has built into Windows 10. Similarly, we are glad to tell you can make use of the recommended program alongside other protection utilities without experiencing problems. In fact, with its help, you are going to get that extra layer of protection which helps you in staying as safe as possible.

Share it:
Do you like this post?
1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 5.00 out of 5)