Microsoft 365 Defender Portal - ASR Report

Contributor

To whom it may concern,

 

Somebody high up in Microsoft connected with the above mentioned portal needs to look at the detection process for ASR and the report.

 

It is inaccurate, and although I have no doubt that the offending ASR rule being vulnerable drivers will eventually be added to SC or the templates within the appropriate sections of MEM or that these can be implemented via ADMX it sort of makes the appropriate section of the MEM portal obsolete, as its not a complete solution.  

 

In fact I would go so far as to say that the Endpoint Security section of MEM is a botch.  It is designed for Enterprise but this is not what this post is about, nor the conflicts that may result from the security baselines, SC policies, and so on.  Microsoft MEM portal needs some work but that is IMHO.

 

Please note that I am a hobbyist but I do pay as does everyone for these reports and I have had to go to some lengths to prove that the attached report is incorrect (all my PCs are fully ASR compliant), as I have a script which pulls the ASR entries out of the registry, compiles them, and then annotates a file to the PC which I can then pull via live response (yes I am aware of diagnostics - but that only works on corporate devices not BYO).  So I know that all 16 rules are applied, no matter the implementation, on all devices whether BYO or corporate.

 

Even some of the hunting scripts I see that are written by MVP's and those in the pentesting fraternity (blue, red or purple) are incomplete, as they don't fully take into account all the registry entries involved or the various operating systems.  In a perfect world every body would be running Windows 10 or soon Windows 11 Enterprise but this is not the case.

 

Can somebody please fix the ASR Report in M365 Defender Portal to reflect the true nature of endpoints not what is implemented via MSDE controls or to be exact this registry entry,

 

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\ASRRules

 

As I am pretty sure after investing some time, that this is how the report bases its results

 

I have further work to do on Controlled Folder Access and Windows Defender exemptions but this is well posted about on LinkedIn and other media by people much smarter and with more time than me,

and I will eventually add more Ninja training to my resume but I appreciate a great deal that Ninja training is even available and the time that must be invested by individuals to make it so.

 

Thankyou for reading and consider this feedback that I regard highly important in a dangerous world.

 

Thanks.

Leon Scott

(constantly learning, interested and loves IT)

 

2021-09-12 (2).png

 

 

 

4 Replies
Hi Leon, Just checking if you've seen these articles? There is a series of 4

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog...
David,

I will read them again just in case I missed something, but I'm sure about my remarks. One way to prove would be to suspend the ASR rules in endpoint security and implement them via admx or another way that doesn't affect said registry key or even implementation through PowerShell utiling the appropriate command.

If I'm wrong I'll delete my post.

Thanks

Leon,
So better to not delete but press on...
Maybe I'm needing another coffee this morning,, but I'm still not entirely clear on what it is that's not correct? Can I be a pain and ask you to dumb it down for me?
Dave C
David,

I apologize on my extremely late reply.

To make it very short, I have given up on PowerShell to implement the "unsigned driver" ASR rule and moved to a CSP implementation as the aforementioned seems to be inconsistent using a custom Compliance Policy.

This issue will disappear when the "unsigned drivers" ASR rule is implemented via the MEM - Endpoint security - ASR

The current settings catalog implementation via ADMX/CSP in MEM - Devices - Compliance Policies only applies to Enterprise and Education - mine are professional.

Thankyou for your time, and you can see my frustration but I don't make the rules.