Forum Discussion

tmtkachyk's avatar
tmtkachyk
Copper Contributor
Jul 21, 2023

Why are ASR Rules applied in audit mode blocking processes

I have two ASR policies deployed to different groups, one where most rules are block mode and one where all rules are audit mode.

 

The Block mode policy is deployed to one device group.

Audit mode is deployed to all devices.

 

According to my ASR reports and device timelines, ASR rules are blocking processes from devices enrolled on the audit mode only policy.

 

The rules applying the block are:

  • Block all Office applications from creating child processes
  • Block Win32 API calls from Office macro

I've reviewed the audit policy and verified all the rules are set to audit mode. I've reviewed the policy deployment, and these assets are definitely enrolled on the audit ASR policy. I've reviewed the ASR reports and the device timelines. Both are showing that the ASR rules blocked these processes.

 

Why is defender for endpoint blocking these processes when the rules are set to audit and how do I get it to stop? 

 

Thanks

  • dnsrk's avatar
    dnsrk
    Brass Contributor

    tmtkachyk 

    Can you check on the device if the ASR configuration has been applied correctly?

    Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids
    Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Actions

    Action should be "2" and your GUIDs are:

    • Block all Office applications from creating child processes {d4f940ab-401b-4efc-aadc-ad5f3c50688a}
    • Block Win32 API calls from Office macro {92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b}
     

Resources