Forum Discussion
dperusich
Jun 07, 2023Copper Contributor
Attack surface reduction exclusion for cmd.exe
We have a group of users who are receiving ASR blocks in a design tool we use called Rhino7 for one of the add-ons which is called Ladybug Tools. This addon is a bunch of python libraries, and when they are called they execute "cmd.exe" with various Parent Commandline's, like the one from the code block below.
While I certainly do not want to blanket allow any "cmd.exe" execution, how can I craft an ASR Exclusion to account for this?
Parent Commandline: C:\Windows\system32\cmd.exe /c "honeybee-radiance sunpath parse-hours suns.mod --name sun-up-hours.txt"
Parent Commandline: C:\Windows\system32\cmd.exe /c "honeybee-radiance translate model-to-rad-folder model.hbjson --grid "*" --grid-check"
Parent Commandline: C:\Windows\system32\cmd.exe /c "honeybee-radiance sky mtx sky.wea --name sky --north 0.0 --sky-type sun-only --hourly --sun-up-hours --visible --output-format ASCII --sky-density 1"
Parent Commandline: C:\Windows\system32\cmd.exe /c "honeybee-radiance sky skydome --name rflux_sky.sky --sky-density 1"
Parent Commandline: C:\Windows\system32\cmd.exe /c "honeybee-radiance sky mtx sky.wea --name sky --north 0.0 --sky-type total --hourly --sun-up-hours --visible --output-format ASCII --sky-density 1"
Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 01443614-CD74-433A-B99E-2ECDC07BFC25
Detection time: 2023-06-07T15:00:57.573Z
User: DOMAIN\user
Path: C:\Program Files\ladybug_tools\python\Scripts\honeybee-radiance.exe
Process Name: C:\Windows\System32\cmd.exe
Target Commandline:
Parent Commandline: C:\Windows\system32\cmd.exe /c "honeybee-radiance sky mtx sky.wea --name sky --north 0.0 --sky-type sun-only --hourly --sun-up-hours --visible --output-format ASCII --sky-density 1"
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.391.723.0
Engine Version: 1.1.23050.3
Product Version: 4.18.23050.3
No RepliesBe the first to reply