SOLVED

Adding ASR rule exclusions based on command line

Occasional Contributor

Hello, 

I was wondering if it is possible to exclude a process from being blocked if a specific file is observed in its command-line ?  We have a situation where the ''AsrPsexecWmiChildProcessAudited'' rule is triggering on "WmiPrvSE.exe" launching "msiexec.exe" process. Looking at the command-line for "msiexec.exe" indicates it is launching a known legitimate file "xxx.msi". It would not be a good idea to exclude "msiexec.exe" as it can be used to arbitrarily execute any code. Would adding an ASR rule exclusion on the "xxx.msi" file exclude the event in the scenario mentioned above from being blocked? 
The existing documentation doesn't seem to cover this scenario: 
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-f...
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-extension-file-e...


Thanks,
Princely 

2 Replies
best response confirmed by Sujit-MSFT (Microsoft)
Solution
@Princely, have you looked at submitting a FP to aka.ms/WDSI? Click on "ASR rules & network protection feedback" -> "Attack surface reduction rules" -> "Enterprise customer" -> "Continue" -> click on "Accept" (to the EULA) -> Fill in the info and submit. Thank you, Yong
@Yong Rhee
Thanks for the suggestion.
I am not sure which file should be uploaded to aka.ms/WDSI as the process observed i.e. msiexec.exe is too generic to be whitelisted and the installer file "xxx.msi" doesn't show up as a child process in this activity(it only shows up in the ProcessCommandLine for msiexec.exe). So I don't see how submitting "xxx.msi" as a false positive would stop triggering the "AsrPsexecWmiChildProcessAudited" event.

Regards,
Princely Dmello