Forum Discussion

Damir's avatar
Damir
Brass Contributor
Aug 21, 2022

ASR question: AsrOfficeChildProcessBlocked

Hello,

 

I have some questions about these rules and the best way to realistically handle them. We have been using Defender + ASR for about a year so we're mostly up to speed about how it works.

 

Question 1

I enabled block mode for AsrOfficeChildProcessBlocked for a small pilot group which includes myself and I'm getting random Outlook attachments block events when I open a PowerPoint file sent to me by my manager for example.

 

CLI call that shows up in the hunting lookup:

"POWERPNT.EXE" /vu "C:\Users\username\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\HSBRV6ZL\finanameoffppthere_vF.pptx"

AsrOfficeChildProcessBlocked / d4f940ab-401b-4efc-aadc-ad5f3c50688a - rule ID

 

I imagine these rules are meant to work with Outlook attachments, why is this triggering and what is the correct way to manage it? What are we doing wrong?

 

 

 

Question 2

What is the correct way to manage Office plugins for these rules? I'd like to avoid ASR exclusion paths since they're a fairly easy to abuse by making a "bad" file match an excluded path, and the rules are very "conveniently" findable in PS and Registry allowing an attacker a path location on where they can avoid ASR since the exclusions aren't rule specific. No way to say only apply this rule if there is a specific file or app present already etc without having 100s of unique exclusion groups across the enterprise, it's not really manageable at scale.

 

I've added the signing Certificate for a plugin that triggers the rule sometimes to the global indicators list as allowed but it still alerts since the call action is Officeapp.exe >calls> Plugin.exe so I imagine the indicator is useless here for this kind of execution flow. Is there some sort of way to say these executables are "safe" to be called by Office apps? Clearly MS can make Teams and other plugins exempt somehow, is there a way to get other plugins or add-ins added to this list?

 

 

Finally - even though things get "blocked" the file opens just fine. So whatever Defender ASR is doing is not actually breaking actual functionality which is good. Would be great if we could actually suppress those notifications on the endpoint completely. Is there a way to tell Defender to not prompt (toast notification) the user for an ASR block but still alert them to things like AV file or other actions?

 

Thanks!

Resources