Forum Discussion
ASR rules and Cloud Delivered Protection
Does anybody have knowledge or link to more detail on how the ASR rule - ' Block executable files from running unless they meet a prevalence, age, or trusted list criterion' actually works ? I und...
Cloud protection is a must and the trust list is managed by Microsoft to determine the reputation of the exe. I doubt if this can function without internet access as true for most of the Defender real time components. Some more details are available in the FAQ here - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-faq?view=o365-worldwide#are-the-criteria-used-by-the-rule---block-executable-files-from-running-unless-they-meet-a-prevalence--age--or-trusted-list-criterion---configurable-by-an-admin-
Thanks kind of what I thought, but wondered would an exe run if there was no internet access ( if it is blocked when there is internet access for example). Question being can you 'bypass' the block by disconnecting from the internet ( so the cloud cant check) run the exe, and then reconnect to the internet. I guess I can check this by trying 😉
The bigger question is, is it expected behaviour for an exe that is initially blocked ( a brand new just complied exe) to be allowed to run after some time after cloud has 'checked it'
The bigger question is, is it expected behaviour for an exe that is initially blocked ( a brand new just complied exe) to be allowed to run after some time after cloud has 'checked it'