Forum Discussion
Exclusions in Attack Surface Reduction rules in Block mode
We configured all ASR rules to "Audit mode" to see what would have been blocked in the last few days. The following rules stick out:
- I didn't have the answers you were looking for but you sparked my interest. So far, the best resource I found to get some more info (and advice) on these rules was Palantir's blog:
https://blog.palantir.com/microsoft-defender-attack-surface-reduction-recommendations-a5c7d41c3cf8
Hopefully it helps you form an opinion for your own situation.
- NielsScheffersIron ContributorI didn't have the answers you were looking for but you sparked my interest. So far, the best resource I found to get some more info (and advice) on these rules was Palantir's blog:
https://blog.palantir.com/microsoft-defender-attack-surface-reduction-recommendations-a5c7d41c3cf8
Hopefully it helps you form an opinion for your own situation.- KirilSteel Contributor
Thank you, that blog post is indeed very insightful. We managed to boil it down to two rules, which we currently need in "Audit mode":
Block Office communication application from creating child processes: we are monitoring this one, and are quite optimistic to gather enough data to white list all applications, which are getting detected.
Block executable files from running unless they meet a prevalence, age, or trusted list criteria: This rules indeed can be very annoying. You cannot foresee what needs to be white listed. There might be an approach to white list a specific folder, which is allowed to execute *.exe, e.g. for installing new software, but that won't work if you want to trigger some other blocked application. It could work, if there was some sort of privilege or admin role which could be assigned temporary, where a user can install an application under the supervision of an admin. But for now this will stay in "Audit mode".
- NielsScheffersIron Contributor
Kiril, there are several solutions for elevated user sessions like that.
In your case, you could use Privileged Access Management to give your admins (temporary) local privileges, so they can guide the user. If you want the user to do this autonomously, you can check this post on my blog (https://threeisacloud.tech/power-to-the-user/) or, depending on your requirements, look for more compliant solutions than mine :).