Forum Discussion

Iron Contributor

Feb 16, 2024

Solved

Implementing ASR - Block credential stealing

Hi experts, I'm about to deploy ASR policy via Intune... running them in Audit mode to see how it will affect end users... And from what I can see, 99% of all "hits" there are for "Block credenti...

endpoint security

microsoft 365 defender

security

G_Wilson3468
Feb 16, 2024
sumo83
Yes, this is expected. As a default, ASR policies are supposed to be conservative. There are some malicious activities that behaves in a similar way to legitimate activity. Microsoft defaults on the side of caution and alerts on these files. This is not unusual.
I suggest that you add exceptions for necessary Windows files, so you don't encounter a situation where you block critical processes.

The best practice here would be to review these policies on a scheduled basis. Digital environments can change and policies should be reviewed to ensure they are still relevant.

G_Wilson3468

Iron Contributor

Feb 16, 2024

sumo83

Yes, this is expected. As a default, ASR policies are supposed to be conservative. There are some malicious activities that behaves in a similar way to legitimate activity. Microsoft defaults on the side of caution and alerts on these files. This is not unusual.

I suggest that you add exceptions for necessary Windows files, so you don't encounter a situation where you block critical processes.

The best practice here would be to review these policies on a scheduled basis. Digital environments can change and policies should be reviewed to ensure they are still relevant.

sumo83
Iron Contributor
Feb 16, 2024
thanks!.... no problem at all... I review ASR reports regularly so that is not an issue... Was just not expecting it will block regular windows files.... But yea, make sense from security point of view 🙂

will be adding exceptions for them..
- G_Wilson3468
  Iron Contributor
  Feb 16, 2024
  Anytime, glad I could help. Could you mark this as the best answer if it fits that description?