cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community
Find out more
SOLVED

Adding ASR rule exclusions based on command line

Princely
Copper Contributor

‎Apr 07 2022 02:43 PM

‎Apr 07 2022 02:43 PM

Adding ASR rule exclusions based on command line

Hello, 

I was wondering if it is possible to exclude a process from being blocked if a specific file is observed in its command-line ?  We have a situation where the ''AsrPsexecWmiChildProcessAudited'' rule is triggering on "WmiPrvSE.exe" launching "msiexec.exe" process. Looking at the command-line for "msiexec.exe" indicates it is launching a known legitimate file "xxx.msi". It would not be a good idea to exclude "msiexec.exe" as it can be used to arbitrarily execute any code. Would adding an ASR rule exclusion on the "xxx.msi" file exclude the event in the scenario mentioned above from being blocked? 
The existing documentation doesn't seem to cover this scenario: 
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-f...
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-extension-file-e...


Thanks,
Princely 

4,003 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by Sujit-MSFT (Microsoft)
Yong Rhee

‎Apr 12 2022 02:04 PM

‎Apr 12 2022 02:04 PM

Solution

Re: Adding ASR rule exclusions based on command line

@Princely, have you looked at submitting a FP to aka.ms/WDSI? Click on "ASR rules & network protection feedback" -> "Attack surface reduction rules" -> "Enterprise customer" -> "Continue" -> click on "Accept" (to the EULA) -> Fill in the info and submit. Thank you, Yong
0 Likes
Reply
Princely

‎Apr 18 2022 03:55 PM

‎Apr 18 2022 03:55 PM

Re: Adding ASR rule exclusions based on command line

@Yong Rhee
Thanks for the suggestion.
I am not sure which file should be uploaded to aka.ms/WDSI as the process observed i.e. msiexec.exe is too generic to be whitelisted and the installer file "xxx.msi" doesn't show up as a child process in this activity(it only shows up in the ProcessCommandLine for msiexec.exe). So I don't see how submitting "xxx.msi" as a false positive would stop triggering the "AsrPsexecWmiChildProcessAudited" event.

Regards,
Princely Dmello
0 Likes
Reply