Forum Discussion

david0K's avatar
david0K
Copper Contributor
Feb 08, 2024

Defender is blocking 7zip exe per ASR Rule AsrRansomwareBlocked for Windows 11 Devices

Hi,

we have received a few messages from our users that our Defender is blocking actions on our notebooks. In the Advanced hunting result you can see that a process is running that prevents 7z.exe from running. These messages appear randomly and even if you do nothing on the notebook.

Process Tree of this result:

I am not sure if it is the ps1 that is trying to run or the 7z.exe. Attached is the process tree.

 

According to the documentation, files that are not valid signed are blocked.


7zip is displayed as unsigned.

 

Could this be the reason? If so, why is this only blocked on Windows 11 devices and not on Windows 10?

If this is a false positive, can I simply whitelist the hash value to avoid the messages?

 

Any information would be helpful for me - thanks!

 

 

  • jbmartin6's avatar
    jbmartin6
    Iron Contributor
    Possibly your ransomware protection settings are different on your WIndows 10 and Windows 11 hosts.