Close Menu
Apps

Buggy Microsoft Defender ASR rule removes Windows app shortcuts

Delbert Williams IIBy No Comments4 Mins Read

[ad_1]

microsoft defender

Microsoft is the desktop,[スタート]Addressed a false positive triggered by a buggy Microsoft Defender ASR rule that removed application shortcuts from the menu and taskbar. Linked app.

This issue affected app shortcuts across onboarded devices after Microsoft Defender for Endpoint attack surface reduction (ASR) rules were accidentally triggered.

If this ASR rule (known in Configuration Manager as “Block Win32 API calls from Office macros” and in Intune as “Win32 imports from Office macro code”) works correctly, the malware uses VBA macros. to block calls to Win32 APIs.

“Malware can exploit this functionality, such as by calling Win32 APIs to launch malicious shellcode without writing anything directly to disk,” Microsoft explains.

“Most organizations don’t rely on the ability to call Win32 APIs in their day-to-day functions, even if they use macros in other ways.”

While this generally helps reduce the attack surface that an attacker can use to compromise a device protected by Microsoft Defender Antivirus, an improper Defender signature (1.381.2140.0) can cause an ASR rule (Rule ID: 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b). It triggers bad behavior on the user’s app shortcuts and falsely tags them as malicious.

Windows administrators report that ASR rules are removing shortcuts belonging to both Microsoft and third-party apps.

“Recently onboarded our assets to Defender for Endpoint. This morning there were many reports of program shortcuts (Chrome, Firefox, Outlook) all disappearing after a machine reboot. This has happened to me as well. It happened, too,” said one administrator.

“I’m having the exact same issue. I had to push a policy update to set this rule to audit mode instead of block. This works for almost all 3rd party apps and as you said Because it ditches even the first-party apps to “Slack, Chrome, Outlook,” another user confirmed.

To address this issue, Microsoft disabled the offending ASR rules and asked customers to check SI MO497128 in the admin center for updates.

In its latest admin center update, Microsoft said that reverted ASR rules take several hours to propagate to all affected customers and recommends putting them in audit mode or disabling them completely. Recommended.

“We have reverted the problematic ASR rule, but this change is propagating throughout the environment and may take several hours to complete,” Microsoft said.

“We recommend that you put the problematic ASR rule into audit mode and take steps to prevent further impact until the update is deployed.”

You can put ASR rules into audit mode using one of the following methods:

  • Using Powershell: Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions AuditMode
  • Using Intune
  • Using Group Policy

A fourth option is to set the rule to disabled mode using the following Powershell command.

Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions Disabled

Until the issue is fully fixed and all deleted shortcuts can be restored, Microsoft advised customers to launch the Office apps directly using the Office apps or the Microsoft 365 App Launcher.

A system administrator has created a PowerShell script [1, 2] Shortcuts for Microsoft Office and other applications[スタート]I will try to restore it to the menu. However, these should be tested before being used in production.

Over the past two years, Windows admins have had to deal with multiple other Microsoft Defender for Endpoint false positives.

Almost a year ago, a series of Defender for Endpoint alerts tagged an Office update as malicious with warnings pointing to ransomware behavior detected on Windows endpoints.

Defender ATP also blocked Office documents and some Office executables from opening or launching in November 2021 due to another false positive where the files were tagged with the Emotet malware payload. Did.

A month later, in December 2021, it erroneously displayed a “sensor tampering” alert, Microsoft 365 Defender Scanner for Log4j processes.

A similar Defender for Endpoint false positive issue displayed alerts for network devices infected with Cobalt Strike and tagged a Chrome update as a PHP backdoor.



[ad_2]

Source link

Share.

Born in the early 80s in Milwaukee, Wisconsin, Delbert Williams II has always had a passion for writing. Even in high school, he earned excellent grades in English and writing classes. After attending John Marshall High School, he graduated from Project Stay Alternative High School in Milwaukee. From there, Delbert attended Milwaukee Area Technical College, where he studied music and communications. While he enjoyed these fields, his love for writing remained strong. In 2019, Delbert founded Hard Stack Street Mag, a publication that quickly gained a following for its unique and engaging content. As the founder and editor-in-chief of the magazine, he has worked tirelessly to produce quality articles that cover a wide range of topics, including music, art, culture, and politics. Now 42 years old, Delbert continues to pursue his passion for writing and journalism. Through Hard Stack Street Mag, he has created a platform that allows him to share his voice and perspective with readers from all over the world. With a strong background in writing and a deep understanding of the power of storytelling, Delbert Williams II is a writer to watch. He is dedicated to producing content that is both informative and engaging, and he is committed to using his platform to shine a light on important issues that are often overlooked by mainstream media.

Related Posts

Add A Comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.