Forum Discussion
Brok3NSpear
Jul 09, 2024Brass Contributor
ASR Rule Blocking ms-teams.exe
Hi,
We have seen the ASR Rule for, 'Block Office communication application from creating child processes' start to block ms-teams.exe, this morning which is causing quite a lot of issues in the estate.
The current workaround is to set the ASR Rule of, 'Block Office communication application from creating child processes', to Audit Mode instead of Block Mode.
This has also been mentioned by a couple of people now on Twitter, so is MS aware of this issue and do you know when a fix may be in place for this, so I can safely move the ASR Rule back to Block Mode
- JosvanderVaartIron ContributorWhy don't you just make an exclusion for this so it's fixed permanently right away instead of a workaround?
- OC_007Copper ContributorYes, I’ve taken the same steps, assuming it might be related to a specific version of Teams.
Regarding notifications for known issues, is there a way to subscribe to a newsletter or receive notifications about such issues?
- JoshuaH2315Copper ContributorI am also seeing the same issue with some of my users.
- raphael1974Copper ContributorWe had the same issue, but now everything it is working again. In case you have Defender XDR, via advanced hunting you can see how big the impact was.
Query:
DeviceEvents
| where ActionType startswith 'Asr' and ActionType startswith "AsrOffice" and FileName == "ms-teams.exe"
| order by Timestamp
Query end.
Personally I think it was a bad Endpoint protection signature update. But now everything is back to normal.
Regards Raphi- Brok3NSpearBrass ContributorYep, the fix was added yesterday by MS on Security Intelligence version 1.415.13.0 so have reverted all changes since
- raphael1974Copper ContributorIs there a official statement from MS? Haven't seen anything....