cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

ASR - Behavior Changes - Blocking under User Context Now?

brink668
Brass Contributor

‎Aug 02 2022 05:50 PM - edited ‎Aug 02 2022 05:54 PM

‎Aug 02 2022 05:50 PM - edited ‎Aug 02 2022 05:54 PM

ASR - Behavior Changes - Blocking under User Context Now?

Since July 7-27-2022
I have been seeing around 40 of 1800 machines in my work environment that are showing blocks under %userprofile% or usercontext for .dll blocks. This is new behavior and is recent.  All of our machines have the same ASR rule applied, I checked on the machines via registry and their ASR rules are the same.

 

ASR Rule/Example Path - that is having this issue

Block executable content from email client and webmail
GUID: be9ba2d9-53ea-4cdc-84e5-9b1eeee46550
Path: %userprofile%\AppData\Local\Assembly\tmp*variousfilesandpaths.dll


Did this behavior change, is this a preview of a new feature or is this a bug? I am afraid this may spread to more machines.

 

We have E5 License and an MS Ticket Open as well.  Hoping someone hear knows something as well.

16.5K Views
1 Like
52 Replies
Reply
52 Replies
brink668

‎Aug 10 2022 06:28 PM

‎Aug 10 2022 06:28 PM

Re: ASR - Behavior Changes - Blocking under User Context Now?

We are seeing the same under that path as well. Though from various apps both paid for ones and custom built ones.
0 Likes
Reply
FTurp

‎Aug 11 2022 12:37 AM

‎Aug 11 2022 12:37 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

We are experiencing the same/similar issue too. Started about 2 weeks ago, is only effecting a small number of computers but number seems to be growing.

 

When Outlook requires authentication Defender blocks the log on screen from appearing as the ASR rule "Block executable content from email and client webmail" is blocking .JS files in C:\Users\local_\INetCache\IE<FOLDER>

Actual file can vary but so far I have seen: C:\Users\local_\INetCache\IE<FOLDER>\CommonDiagnostics[1].js
C:\Users\local_\INetCache\IE<FOLDER>\knockout-3.4.2[1].js
C:\Users\local_\INetCache\IE<FOLDER>\jsonstrings[1].js
C:\Users\local_\INetCache\IE<FOLDER>\jquery-1.12.4.1.min[1].js
C:\Users\local_\INetCache\IE<FOLDER>\hrd.min[1].js

 C:\Users\local_\INetCache\IE<FOLDER>\convergedlogin_pccustomizationloader[1].js

 

OutlookDefenderIssue.jpgIs any one any closer to knowing what is going on with this?

1 Like
Reply
MikePalmer75

‎Aug 11 2022 12:56 AM

‎Aug 11 2022 12:56 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

We are seeing odd behaviour in that we started a rollout of a plugin to 3000 machines which had been under test for several months on 450 machines. The machines which had the application installed yesterday are reporting ASR events but the 450 pilot machines are working fine. It's almost like the ASR is trigger as it has seen a change to Outlook plugins.
0 Likes
Reply
TakedaShingen

‎Aug 11 2022 12:57 AM

‎Aug 11 2022 12:57 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

we have exactly the same issue for about one week. about 1-5 % of total clients affected so far but the number also seems to increase. different 3rd party plugins affected. waiting for response from ms incident manager
0 Likes
Reply
apr23

‎Aug 11 2022 02:40 AM - edited ‎Aug 11 2022 03:29 AM

‎Aug 11 2022 02:40 AM - edited ‎Aug 11 2022 03:29 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

We are also facing the issue on several computers. The strange thing is, that all the version (Defender Engine, Signatures, Outlook and Windows) are reporting the same on affected and non-affected machines. Even the outlook internal help (press F1) is blocked.
We have also created a Microsoft case.

We provision the rules using Configuration Manager.

0 Likes
Reply
TakedaShingen

‎Aug 11 2022 03:27 AM

‎Aug 11 2022 03:27 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

we received the answer that it is indeed a known issue that has to be solved by the ms product team 

 

we use intune to deliver 

AsrExecutableEmailContentBlocked
0 Likes
Reply
FTurp

‎Aug 12 2022 02:47 AM

‎Aug 12 2022 02:47 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

@TakedaShingen 

 

If you get a response to say it has been fixed or if we are required to make any changes it would be great if you could post them here.

 

Thanks

0 Likes
Reply
shend141

‎Aug 12 2022 02:58 AM

‎Aug 12 2022 02:58 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

Microsoft Support have talked us through adding the file hash of each blocked Outlook add-in DLLs to "Indicators" in the security.microsoft.com portal. We're waiting for more info on how we can check it has applied to a device (Event Viewer, reg key(s), etc), does anyone know please?
0 Likes
Reply
TakedaShingen

‎Aug 12 2022 03:07 AM

‎Aug 12 2022 03:07 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

same for us. we had tech support adding hash based indicators in defender365 -> settings -> indicators
first we used hash from loaded plugin dll -> did not help
today we added all dll from the plugin (condeco) -> didnt help

currently we are waiting for additional microsoft support callback
1 Like
Reply
David_Smith040

‎Aug 12 2022 03:09 AM

‎Aug 12 2022 03:09 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

That is not a solution lol
0 Likes
Reply
TakedaShingen

‎Aug 12 2022 03:09 AM

‎Aug 12 2022 03:09 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

we also added an indicator based on condeco hash. did not fix it.
or problem plugin no1 is condeco
0 Likes
Reply
TakedaShingen

‎Aug 12 2022 03:14 AM

‎Aug 12 2022 03:14 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

the action plan was
1 taking logs
2 idicator whitelisting
3 taking logs again to get to the prob.

we have another meeting with microsoft in 20 min and this time the agend knew about the possible product team fix. for this they want to pull logs again i believe. anyhow i keep sharing our experience :D
0 Likes
Reply
brink668

‎Aug 12 2022 04:19 AM - edited ‎Aug 12 2022 04:24 AM

‎Aug 12 2022 04:19 AM - edited ‎Aug 12 2022 04:24 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

What you could do temporarily is create exclusions for ASR Rules.  
Blocked at Path
c:\users\jdoe\AppData\Local\Assembly\tmp\VXRVB.GHY\TheNameOfYourFile.dll

Example Exclusion
%userprofile%\AppData\Local\Assembly\tmp\*\TheNameOfYourFile.dll

 

 

Further Info

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-extension-file-e...

 

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-redu...


https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-f...

 

 

0 Likes
Reply
shend141

‎Aug 12 2022 04:38 AM

‎Aug 12 2022 04:38 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

That was our original workaround but Microsoft Support explained this only whitelists the DLL, whereas Indicators whitelists the DLL and all associated files, including .JS JavaScript files, other DLLs, etc. So Indicators are more efficient at excluding safe add-ins than ASR rules. He also said their ASR team made more "fine tuning" yesterday and there may no longer be a need to add any file hash to the Indicators after all. Hope this helps others.
0 Likes
Reply
brink668

‎Aug 12 2022 04:47 AM

‎Aug 12 2022 04:47 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

Thanks for letting me know. I will try out the indicators instead.
1 Like
Reply
MikePalmer75

‎Aug 12 2022 04:52 AM

‎Aug 12 2022 04:52 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

Hi @shend141,

You said that the ASR team have made some adjustments. Did they explain how those adjustments will be delivered to client and the time to see the results?
0 Likes
Reply
shend141

‎Aug 12 2022 05:03 AM

‎Aug 12 2022 05:03 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

Hi Mike, I asked the same question but he had no further details unfortunately.

I also asked how we can check if a file hash rule has applied to a device but he categorically confirmed there are no local logs in Event Viewer or any associated reg keys for security purposes. So surely there's a log on the M365 Security portal? Again, no definitive answer other than check the "last device update" column for the device, which is a good indicator but not confirmation that the file hash rule has definitely applied successfully.

'Reports > Attack surface reduction rules' already showing a much lower number of detections (mostly false-positive) but that could just be because it's a Friday and super hot weather. Monday will be a better indicator of progress once all devices have received the file hash rule updates, cold booted etc...
0 Likes
Reply
shend141

‎Aug 12 2022 05:25 AM

‎Aug 12 2022 05:25 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

Furthermore, Microsoft Support advised us to upload affected DLLs using their WDSI Submission form https://www.microsoft.com/en-us/wdsi/filesubmission so their ASR team can carry out further "fine tuning" to address these false-positive blocks. We've uploaded 2 DLLs with the 2 file hashes that represent all of the DLLs in our environment, received an email confirmation for both, currently "Status: In progress" and waiting for an update...
0 Likes
Reply
David Schrag

‎Aug 12 2022 06:43 AM

‎Aug 12 2022 06:43 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

Has anyone been given an explanation of why this is only affecting a small percentage of identically configured computers? 

1 Like
Reply
pcookhayboo

‎Aug 12 2022 07:14 AM

‎Aug 12 2022 07:14 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

This would be helpful. We use a lot of outlook addons and even after safelisting I'm still getting hits. I ended up turning the whole rule to audit mode until we can get this sorted.
0 Likes
Reply