Forum Discussion
Why are ASR Rules applied in audit mode blocking processes
I have two ASR policies deployed to different groups, one where most rules are block mode and one where all rules are audit mode. The Block mode policy is deployed to one device group. Audit mod...
Can you check on the device if the ASR configuration has been applied correctly?
Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids
Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_ActionsAction should be "2" and your GUIDs are:
- Block all Office applications from creating child processes {d4f940ab-401b-4efc-aadc-ad5f3c50688a}
- Block Win32 API calls from Office macro {92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b}