Forum Discussion
ASR exclusion via GPO not working as expected
I have a group of users who is attempting to open attachments in outlook that run from a specific program and the ASR rule "Block only Office communication applications from creating child processes" is blocking this action. We are using GPO for management and I attempted to create a GPO exclusion to cover the listed "Affected items" exe using the exact path to the exe, but that does not appear to have worked.
The documentation in the GPO suggests using "0" for the value and "filepath", but then I just found a reference at https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-implement?view=o365-worldwide stating "Do not use quotes as they are not supported..." under the "Use group policy to exclude files and folders" section. Which one is right? use quotes on value and value name, don't use quotes anywhere, a mix of the two, or it doesn't matter either way?
I also just came across https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide which mentions "The following ASR rules DO NOT honor MS Defender AV exclusions:" and in there, it lists the Block office communication application from creating child processes.
So... is it possible to make this exclusion so I don't trigger this ASR rule?
2 Replies
AdelAlDabbasMicrosoft
Hello abl-bgd,
First, it is recommended to go through "How do I know what I need to exclude?" section here: Attack surface reduction frequently asked questions (FAQ) | Microsoft Learn
If you are using GPO, do not use quotes as advised here: Implement attack surface reduction rules | Microsoft Learn
ASR exclusions are independent from Microsoft Defender Antivirus exclusions. However, Microsoft Defender Antivirus exclusions do apply to some attack surface reduction rules. This specific rule doesn't honor AV exclusions.
In other words, if you define the exclusion using this method: Configure and validate exclusions based on extension, name, or location | Microsoft Learn it will not work. You will need this: Implement attack surface reduction rules | Microsoft Learn
Note: Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Excluded files will be allowed to run, and no report or event will be recorded.
Thanks for that confirmation. The GPO itself has documentation that appears to imply that a quote should be used, but it wasn't working which is what brought me here.
