Geekmaster 👽:system76: · @Geekmaster
166 followers · 1246 posts · Server ioc.exchange
Geekmaster 👽:system76: · @Geekmaster
166 followers · 1245 posts · Server ioc.exchange
Geekmaster 👽:system76: · @Geekmaster
166 followers · 1244 posts · Server ioc.exchange
Geekmaster 👽:system76: · @Geekmaster
121 followers · 931 posts · Server ioc.exchange

⚠️ MO497128: For everyone who lost the use of their desktop apps today, it's because of an issue that Microsoft is dealing with, related directly to , or rules. Specifically: "Block Win32 API calls from Office Macros" with ID 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b.

:
Admins can put the ASR rule into Mode to avoid further impact. Please note that you may need to re-enable the rule once the issue has been fully resolved. This can be done through one of the following methods:

- Using Powershell: Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions AuditMode

- Using Intune: learn.microsoft.com/en-us/micr

- Using Group Policy: learn.microsoft.com/en-us/micr

#microsoftservicehealth #advisory #microstfoffice #defender #attacksurfacereduction #ASR #hotfix #audit #themoreyouknow #sysadmins

Last updated 2 years ago

IAintShootinMis · @iaintshootinmis
454 followers · 721 posts · Server digitaldarkage.cc

This was the result of an rule called "Win32 Imports from Office Macro Code" being set to "Block" causing it to delete all of the shortcuts from ProgramData\Microsoft\Windows\Start Menu\Programs

#asr #attacksurfacereduction

Last updated 2 years ago

Christian Müller · @chrisonsecurity
53 followers · 26 posts · Server infosec.exchange

Attention! Microsoft Defender issue!

Starting with security intelligence version 1.381.2140.0 (or others depending on OS) Attack Surface Reduction (ASR) will remove .LNK files in start menu and taskbar once they are clicke on. This will trigger an ASR alert in some but not all cases ("Block Win32 API calls from Office macro"). Setting this to audit might help.

This is affecting every environement I have looked at now, so just wanted to share it so as many people as possible.

#microsoftdefender #asr #attacksurfacereduction

Last updated 2 years ago

Recorded Paradox · @recordedparadox
144 followers · 317 posts · Server infosec.exchange

I am running into an issue with adding an rule exclusion.

Last week, a team member called saying an Adobe plugin wouldn't work. I checked the Windows logs and it stated that the plugin's executable was attempting to create a child process from Adobe. I added an Only Per Rule Exclusions entry for the fully qualified path of the plugin's executable as it was displayed in the Windows Defender warning.

The ASR Rule Block Adobe Reader from creating child processes is in Block mode.

I opened the device in Intune and clicked Sync.

A few days later, the team member contacts IT again and says that they are getting the same error as previously (and that it never was working).

I ran the (github.com/4D5A/MDATP_PoSh_Scr) on the team member's computer and it did not show any ASR Exclusions.

As a temporary workaround, I changed the ASR Rule so it is in Audit mode. Oddly, the computer updated and sees the ASR Rule is in Audit mode, but it still does not see the ASR Per Rule Exclusion.

Has anyone else seen this issue?

I added the ASR Per Rule Exclusion in two formats, and neither one is listed on the computer. I used the fully qualified path without quotation marks (i.e. C:\Program Files (x86)\Vendor\Application.exe) and the fully qualified path with quotation marks (i.e. "C:\Program Files (x86)\Vendor\Application.exe").

Thank you in advance for any suggestions!

#attacksurfacereduction #defender #asr #asranalyzer

Last updated 2 years ago