Forum Discussion

sumo83's avatar
sumo83
Iron Contributor
Feb 16, 2024
Solved

Implementing ASR - Block credential stealing

Hi experts,

 

I'm about to deploy ASR policy via Intune... running them in Audit mode to see how it will affect end users... And from what I can see, 99% of all "hits" there are for "Block credential stealing from the Windows local security authority subsystem (lsass.exe)"

 

So I have checked few files that were blocked and there are files like "msiexec.exe, spoolsv.exe" which - as I have search - are regular and quite important MS files. I am surprised that these are blocked as they are MS files... there are few more... + files for running ADOBE updates, Google updates, etc.

 

Is this expected? ... Do I need to add also windows files as an exceptions?

 

 

endpoint security
microsoft 365 defender
security
  • G_Wilson3468's avatar
    G_Wilson3468
    Feb 16, 2024

    sumo83 

    Yes, this is expected. As a default, ASR policies are supposed to be conservative. There are some malicious activities that behaves in a similar way to legitimate activity. Microsoft defaults on the side of caution and alerts on these files. This is not unusual. 

    I suggest that you add exceptions for necessary Windows files, so you don't encounter a situation where you block critical processes. 

     

    The best practice here would be to review these policies on a scheduled basis. Digital environments can change and policies should be reviewed to ensure they are still relevant.  

3 Replies

  • G_Wilson3468's avatar
    G_Wilson3468
    Iron Contributor
    Feb 16, 2024

    sumo83 

    Yes, this is expected. As a default, ASR policies are supposed to be conservative. There are some malicious activities that behaves in a similar way to legitimate activity. Microsoft defaults on the side of caution and alerts on these files. This is not unusual. 

    I suggest that you add exceptions for necessary Windows files, so you don't encounter a situation where you block critical processes. 

     

    The best practice here would be to review these policies on a scheduled basis. Digital environments can change and policies should be reviewed to ensure they are still relevant.  

    • sumo83's avatar
      sumo83
      Iron Contributor
      Feb 16, 2024
      thanks!.... no problem at all... I review ASR reports regularly so that is not an issue... Was just not expecting it will block regular windows files.... But yea, make sense from security point of view 🙂

      will be adding exceptions for them..
      • G_Wilson3468's avatar
        G_Wilson3468
        Iron Contributor
        Feb 16, 2024
        Anytime, glad I could help. Could you mark this as the best answer if it fits that description?

Resources