Forum Discussion

brink668's avatar
brink668
Brass Contributor
Aug 03, 2022
Solved

ASR - Behavior Changes - Blocking under User Context Now?

Since July 7-27-2022 I have been seeing around 40 of 1800 machines in my work environment that are showing blocks under %userprofile% or usercontext for .dll blocks. This is new behavior and is rece...
  • FTurp's avatar
    FTurp
    Aug 15, 2022
    I've so far only managed to check on one endpoint that was having the issue, However it's Security Intelligence Version updated to 1.373.383.0 this morning and it is no longer showing any symptoms of the problem. So early signs are encouraging that this may be fixed.
FTurp's avatar
FTurp
Copper Contributor
Aug 11, 2022

We are experiencing the same/similar issue too. Started about 2 weeks ago, is only effecting a small number of computers but number seems to be growing.

 

When Outlook requires authentication Defender blocks the log on screen from appearing as the ASR rule "Block executable content from email and client webmail" is blocking .JS files in C:\Users\local_\INetCache\IE<FOLDER>

Actual file can vary but so far I have seen: C:\Users\local_\INetCache\IE<FOLDER>\CommonDiagnostics[1].js
C:\Users\local_\INetCache\IE<FOLDER>\knockout-3.4.2[1].js
C:\Users\local_\INetCache\IE<FOLDER>\jsonstrings[1].js
C:\Users\local_\INetCache\IE<FOLDER>\jquery-1.12.4.1.min[1].js
C:\Users\local_\INetCache\IE<FOLDER>\hrd.min[1].js

 C:\Users\local_\INetCache\IE<FOLDER>\convergedlogin_pccustomizationloader[1].js

 

Is any one any closer to knowing what is going on with this?

MikePalmer75's avatar
MikePalmer75
Brass Contributor
Aug 11, 2022
We are seeing odd behaviour in that we started a rollout of a plugin to 3000 machines which had been under test for several months on 450 machines. The machines which had the application installed yesterday are reporting ASR events but the 450 pilot machines are working fine. It's almost like the ASR is trigger as it has seen a change to Outlook plugins.

Resources