question

Windingo-4604 avatar image
0 Votes"
Windingo-4604 asked Windingo-4604 commented

Issue with ASR rule and Warn mode, message will be repeated indefinitely

Hi,

I have enabled "warn mode" for an ASR rule that was previously in block mode. I used the rule 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B (Block Win32 API calls from Office macros).
This works partly, as I can see the "unblock" message when opening an Excel file with macros included.

But regardless of the button I press, the message appears again and again. I choose "unblock" repeatedly but the file is not unblocked. The behavior has been tested on Windows 10 21H2 and Windows 11.
So unblocking is not possible at all for a user.

Is this a known issue? Any ideas?

br, Ingo

windows-11windows-10-securityoffice-itpro
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamieSabbatella avatar image
0 Votes"
JamieSabbatella answered Windingo-4604 commented

Keen to follow this as about to move from block to warn on some ASR rules too.

The documentation does state that you shouldn't be asked again for 24 hours.

So that makes me wonder if the API calls are different each time.

A good place to start troubleshooting would be Event logs or the defender log: C:\ProgramData\Microsoft\Windows Defender\Support\MPLog....

Could help to see exactly what is going on.

Jamie

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

It´s the same file at the same location, so I think the API calls should be the same. I am a Windows guy and don't really know Excel macros. ;-)

In the Defender Logs I can see that a user has accepted Defender Exploit Guard and the ASR-ID 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B, my username, the Excel.exe path and the exact path of the file. This is the same every time.
This log entry repeats every time I click on "Unblock" or "OK" in the Defender dialogue until I close Excel and sometimes even afterwards.

In the Defender logfile I can't see any interesting things. There are no log entries at the time I open the Excel file.

BR, Ingo

0 Votes 0 ·
LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered Windingo-4604 commented

Hi there,

I would first suggest you try changing the methods that you have used to implement the ASR and see if that helps you as it seems to be a bug with warn mode. You can try applying the ASR with the method that is most suitable for you.

You can enable attack surface reduction rules by using any of these methods:
-Microsoft Intune
-Mobile Device Management (MDM)
-Microsoft Endpoint Configuration Manager
-Group Policy
-PowerShell

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide



--If the reply is helpful, please Upvote and Accept it as an answer--

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you. Unfortunately I can only test Group Policy and Powershell and it doesn't make any difference how I enable the rule.

Also I have tried this in a second environment which does not have any connections to my default environment and I see the same error.

0 Votes 0 ·