Forum Discussion

brink668's avatar
brink668
Brass Contributor
Aug 02, 2022
Solved

ASR - Behavior Changes - Blocking under User Context Now?

Since July 7-27-2022 I have been seeing around 40 of 1800 machines in my work environment that are showing blocks under %userprofile% or usercontext for .dll blocks. This is new behavior and is rece...
  • FTurp's avatar
    FTurp
    Aug 15, 2022
    I've so far only managed to check on one endpoint that was having the issue, However it's Security Intelligence Version updated to 1.373.383.0 this morning and it is no longer showing any symptoms of the problem. So early signs are encouraging that this may be fixed.
David Schrag's avatar
David Schrag
Iron Contributor
Aug 12, 2022

Has anyone been given an explanation of why this is only affecting a small percentage of identically configured computers? 

pcookhayboo's avatar
pcookhayboo
Copper Contributor
Aug 12, 2022
This would be helpful. We use a lot of outlook addons and even after safelisting I'm still getting hits. I ended up turning the whole rule to audit mode until we can get this sorted.
  • brink668's avatar
    brink668
    Brass Contributor
    Aug 12, 2022

    David Schrag 

     

    Windows 10 Settings > Windows Security > Open Windows Security > Click "Check for Updates" under Virus & threat protection updates.

     

    Edit: So far the updated definition has not helped we are now seeing improvements, however it seems like they are still making adjustments.

     

     

     

     

  • shend141's avatar
    shend141
    Copper Contributor
    Aug 12, 2022
    We considered switching from Block to Audit Only mode but since the number of incidents have vastly reduced and on a downward spiral we will stay in Block mode for now to maintain a balance between security and productivity by resolving any new incidents with file hash rules reactively.
  • David Schrag's avatar
    David Schrag
    Iron Contributor
    Aug 12, 2022
    Thanks. On what sort of cycle will the signatures get updated automatically?
  • apr23's avatar
    apr23
    Copper Contributor
    Aug 12, 2022

    Good to know, i did not get any events in the last hours, but lot people are probably enjoying the weekend already.

     

    David Schrag 

    To check which version is installed on the computer, run the following Powershell Command:
    Get-MpComputerStatus | fl *version*

     

    To force an update of the signatures, run the following commands in an elevated command prompt (source: https://www.microsoft.com/en-us/wdsi/defenderupdates😞 

    cd %ProgramFiles%\Windows Defender
    MpCmdRun.exe -removedefinitions -dynamicsignatures
    MpCmdRun.exe -SignatureUpdate

     

  • David Schrag's avatar
    David Schrag
    Iron Contributor
    Aug 12, 2022
    I suppose I should know this, but how exactly do you get the updated security intelligence version?
  • TakedaShingen's avatar
    TakedaShingen
    Copper Contributor
    Aug 12, 2022
    so for us microsoft replied:
    "WDSI Security Intelligence team have gotten back to me and provided the following solution:
    We have reviewed the reported issue, and this is known issue
    • And regarding ASR issues related to Block executable content from email client and webmail we have provided global fix. The changes will be reflected in the security intelligence version 1.373.181.0 or above. So, we request you to update to the latest security intelligence version and verify the issue. "
    so after updating a problem client indeed it changed. we get an all new error message and block event in the defender report.