Forum Discussion

brink668's avatar
brink668
Brass Contributor
Aug 03, 2022

ASR - Behavior Changes - Blocking under User Context Now?

Since July 7-27-2022 I have been seeing around 40 of 1800 machines in my work environment that are showing blocks under %userprofile% or usercontext for .dll blocks. This is new behavior and is rece...
  • FTurp's avatar
    FTurp
    Aug 15, 2022
    I've so far only managed to check on one endpoint that was having the issue, However it's Security Intelligence Version updated to 1.373.383.0 this morning and it is no longer showing any symptoms of the problem. So early signs are encouraging that this may be fixed.
Intune_Support_Team's avatar
Intune_Support_Team
Icon for Microsoft rankMicrosoft
Thanks for the report! We were alerted to this thread out on Twitter and wanted to share that we’ve connected with our friends on the Defender for Endpoint team and confirmed that a signature update will be rolled out over the next few hours to resolve this issue.
TakedaShingen's avatar
TakedaShingen
Copper Contributor
Aug 15, 2022
ok to finish our experience: after 2 more fixes from microsoft we seem to be fine now
some users that had problems dont have them anymore
in reports -> ASR rules i also dont see any more blocks of our 3rd party software in "block exe content from email and webmail" so bit early to be sure but for now it looks like all is fixed for us
  • FTurp's avatar
    FTurp
    Copper Contributor
    Aug 15, 2022
    I've so far only managed to check on one endpoint that was having the issue, However it's Security Intelligence Version updated to 1.373.383.0 this morning and it is no longer showing any symptoms of the problem. So early signs are encouraging that this may be fixed.
    • brink668's avatar
      brink668
      Brass Contributor
      Aug 15, 2022
      This looks fully resolved now with Security Intelligence Definitions Version being 1.373.383.0
      • shend141's avatar
        shend141
        Copper Contributor
        Aug 16, 2022
        Since Microsoft rolled out 1.373.383.0 released 8/15/2022 3:28:43 AM (I'm currently on 6 versions higher than 383: 410>421>435>449>452>460), ASR detections have certainly fallen which is a good sign, but we’re still seeing some detections for safe/known DLL such as iManage, Acrobat etc.

        We can carry out manual Defender updates and reboots. In the meantime, can you advise if we need to do anything else to remove these false-positive detections please?

Resources