Forum Discussion
Antivirus deletes all shortcuts from the desktop
After this morning's update of security intelligence to version 1.381.2140.0, defender is deleting on all clients all links to applications; does anyone have the same problem?
- Also affected here. Latest from MS...
January 13, 2023 1:06 PM · Quick update
We've identified that a specific rule was resulting in impact. We've reverted the rule to prevent further impact whilst we investigate further. This quick update is designed to give the latest information on this issue. Have released the updated to version 1.381.2152.0
Update
After updating and restarting, the links are no longer deleted.
The problem remains that if I run the search for a program it does not find it unless I add .exe (e.g., outlook.exe)- It does not fix by itself, link files are deleted. You have to reinstall/repair the application to get these .lnk files recreated. I have around 50% of all client so far affected. Thank you Microsoft for this s§$&%§ Friday 13 event. It looks like we have to reimage all the systems. Fiddeling with individuel machines to reinstall all apps requires way to much time and personal.
- A huge damage, I hope in their official workaround to make it solvable remotely on all company devices (even if I see it as very difficult)
yongrheemsftMicrosoft
@michelariis, please open a MS CSS support ticket, and mark it as a Sev-A.
Thx,
Yong Rhee - MSFTWe are also affected, started around 10:30am GMT+2. We saw Defender deleting .lnk files and also blocking/deleting Windows Store Apps from Microsoft. We changed the affected ASR rule and try to force all clients to sync, but it may be to late from my reports we got so far.
- We also see some other files affacted, for examples .xml files and Microsoft Store Apps like Picture.library-ms and some other.
We have the same issue and many more.
https://www.reddit.com/r/sysadmin/comments/10ar1vb/multiple_users_reporting_microsoft_apps_have/Set the following ASR rule to Audit.
Block Win32 API calls from Office macros
Rule-ID 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b
Then you can restore the links. Microsoft needs to fix this ASAP
- I modified the rule: Block Win32 API calls from Office macros
from Block to Audit mode
in MDM Security Baseline
category Microsoft DefenderDreamaker We haven´t had a block roule, but all shortcuts were deleted. We changed to audit, but without a change on the tested mashines.
- yeah we are seeing this across multiple orgs too. We are testing the suggested fix
Has Microsoft made any comment
- Now there is the advisory on Service health in Microsoft365 Admin portal: Some users are unable to utilize the Application shortcuts on the Start menu and taskbar
MO497128, Last updated: January 13, 2023 12:57 PM
Estimated start time: January 13, 2023 12:43 PM
- We've had the same problem .. all shortcuts on every device has been deleted
- Yes! We were also affected.
- Yes I was bit by this problem this morning. Thank goodness for Macrium Reflect backups. However, it won’t do me any good unless this issue is resolved as the shortcuts will just be deleted again.
Have the same exact issue but we do not even have the Block Win32 API Calls from Office Macro configured within our ASR rules so very frustrated to be in this position.
To force the point. I have created a new rule and set Block Win32 API Calls from Office Macro to Audit mode.
Hoping this calms things down.
- Setting the ASR rule to audit instead of block is a big security risk.
Just don't do it. Wait until a fix is released. I hope MS will push the fix soon.
Great job on Friday the 13th though 🙂- Me too; the damage is already done
Shayanlarkburywhere are you creating this rule?
- Endpoint Manager > Endpoint Security > Attack Surface Reduction > Create a Policy here.
As in the trailing comments. Hoping once MS resolves this problem, we can switch this policy back to block....
- Someone created a PowerShell script as a remedition on Reddit, check it out:
https://www.reddit.com/r/sysadmin/comments/10ar1vb/comment/j46d16f/?utm_source=share&utm_medium=web2x&context=3- Has MS pulled the latest update? I am not getting now when I Check for updates.
phillipank wrote:
Has MS pulled the latest update? I am not getting now when I Check for updates.I'm not sure, but the latest version is 1.381.2152.0
https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes
micheleariis Yes our company has the same issue. The workaround we're using for now is to type the file name into the start menu and launch the programs directly:
WinWord.exe
Excel.exe
MSEdge.exe
Outlook.exe
