Forum Discussion
ASR - Behavior Changes - Blocking under User Context Now?
Since July 7-27-2022 I have been seeing around 40 of 1800 machines in my work environment that are showing blocks under %userprofile% or usercontext for .dll blocks. This is new behavior and is rece...
- I've so far only managed to check on one endpoint that was having the issue, However it's Security Intelligence Version updated to 1.373.383.0 this morning and it is no longer showing any symptoms of the problem. So early signs are encouraging that this may be fixed.
ok to finish our experience: after 2 more fixes from microsoft we seem to be fine now
some users that had problems dont have them anymore
in reports -> ASR rules i also dont see any more blocks of our 3rd party software in "block exe content from email and webmail" so bit early to be sure but for now it looks like all is fixed for us
some users that had problems dont have them anymore
in reports -> ASR rules i also dont see any more blocks of our 3rd party software in "block exe content from email and webmail" so bit early to be sure but for now it looks like all is fixed for us
I've so far only managed to check on one endpoint that was having the issue, However it's Security Intelligence Version updated to 1.373.383.0 this morning and it is no longer showing any symptoms of the problem. So early signs are encouraging that this may be fixed.
- This looks fully resolved now with Security Intelligence Definitions Version being 1.373.383.0
- Since Microsoft rolled out 1.373.383.0 released 8/15/2022 3:28:43 AM (I'm currently on 6 versions higher than 383: 410>421>435>449>452>460), ASR detections have certainly fallen which is a good sign, but we’re still seeing some detections for safe/known DLL such as iManage, Acrobat etc.
We can carry out manual Defender updates and reboots. In the meantime, can you advise if we need to do anything else to remove these false-positive detections please?- I did not need to make any other modification in my test OU. I had removed all the DLL exclusions from my whitelist which I originally applied at the start of this issue.
You may need to review your ASR rules though and see if other rule types are causing the block, then in that case you may still need to create special exclusions for that.
