Forum Discussion

Brok3NSpear's avatar
Brok3NSpear
Brass Contributor
Jul 09, 2024

ASR Rule Blocking ms-teams.exe

Hi,

 

We have seen the ASR Rule for, 'Block Office communication application from creating child processes' start to block ms-teams.exe, this morning which is causing quite a lot of issues in the estate.

 

The current workaround is to set the ASR Rule of, 'Block Office communication application from creating child processes', to Audit Mode instead of Block Mode.

This has also been mentioned by a couple of people now on Twitter, so is MS aware of this issue and do you know when a fix may be in place for this, so I can safely move the ASR Rule back to Block Mode

  • Why don't you just make an exclusion for this so it's fixed permanently right away instead of a workaround?
    • OC_007's avatar
      OC_007
      Copper Contributor
      Yes, I’ve taken the same steps, assuming it might be related to a specific version of Teams.

      Regarding notifications for known issues, is there a way to subscribe to a newsletter or receive notifications about such issues?
  • raphael1974's avatar
    raphael1974
    Copper Contributor
    We had the same issue, but now everything it is working again. In case you have Defender XDR, via advanced hunting you can see how big the impact was.
    Query:
    DeviceEvents
    | where ActionType startswith 'Asr' and ActionType startswith "AsrOffice" and FileName == "ms-teams.exe"
    | order by Timestamp
    Query end.
    Personally I think it was a bad Endpoint protection signature update. But now everything is back to normal.
    Regards Raphi
    • Brok3NSpear's avatar
      Brok3NSpear
      Brass Contributor
      Yep, the fix was added yesterday by MS on Security Intelligence version 1.415.13.0 so have reverted all changes since
      • raphael1974's avatar
        raphael1974
        Copper Contributor
        Is there a official statement from MS? Haven't seen anything....

Resources