Forum Discussion
Brok3NSpear
Jul 09, 2024Brass Contributor
ASR Rule Blocking ms-teams.exe
Hi, We have seen the ASR Rule for, 'Block Office communication application from creating child processes' start to block ms-teams.exe, this morning which is causing quite a lot of issues in the e...
raphael1974
Jul 10, 2024Copper Contributor
We had the same issue, but now everything it is working again. In case you have Defender XDR, via advanced hunting you can see how big the impact was.
Query:
DeviceEvents
| where ActionType startswith 'Asr' and ActionType startswith "AsrOffice" and FileName == "ms-teams.exe"
| order by Timestamp
Query end.
Personally I think it was a bad Endpoint protection signature update. But now everything is back to normal.
Regards Raphi
Query:
DeviceEvents
| where ActionType startswith 'Asr' and ActionType startswith "AsrOffice" and FileName == "ms-teams.exe"
| order by Timestamp
Query end.
Personally I think it was a bad Endpoint protection signature update. But now everything is back to normal.
Regards Raphi
- Brok3NSpearJul 10, 2024Brass ContributorYep, the fix was added yesterday by MS on Security Intelligence version 1.415.13.0 so have reverted all changes since
- raphael1974Jul 10, 2024Copper ContributorIs there a official statement from MS? Haven't seen anything....
- Brok3NSpearJul 10, 2024Brass Contributor
They added a notification in the Message Centre on Issue ID: DZ809811 yesterday at 16:48hrs GMT (UK time)
Root Cause:
A recent service update introduced a faulty signature code change that caused the ASR rules to block various actions in the Outlook desktop client.