Aug 02 2022 05:50 PM - edited Aug 02 2022 05:54 PM
Since July 7-27-2022
I have been seeing around 40 of 1800 machines in my work environment that are showing blocks under %userprofile% or usercontext for .dll blocks. This is new behavior and is recent. All of our machines have the same ASR rule applied, I checked on the machines via registry and their ASR rules are the same.
ASR Rule/Example Path - that is having this issue
Block executable content from email client and webmail
GUID: be9ba2d9-53ea-4cdc-84e5-9b1eeee46550
Path: %userprofile%\AppData\Local\Assembly\tmp*variousfilesandpaths.dll
Did this behavior change, is this a preview of a new feature or is this a bug? I am afraid this may spread to more machines.
We have E5 License and an MS Ticket Open as well. Hoping someone hear knows something as well.
Aug 12 2022 07:24 AM
Aug 12 2022 07:37 AM
Aug 12 2022 08:45 AM
Good to know, i did not get any events in the last hours, but lot people are probably enjoying the weekend already.
To check which version is installed on the computer, run the following Powershell Command:
Get-MpComputerStatus | fl *version*
To force an update of the signatures, run the following commands in an elevated command prompt (source: https://www.microsoft.com/en-us/wdsi/defenderupdates:(
cd %ProgramFiles%\Windows Defender
MpCmdRun.exe -removedefinitions -dynamicsignatures
MpCmdRun.exe -SignatureUpdate
Aug 12 2022 08:58 AM
Aug 12 2022 09:03 AM
Aug 12 2022 09:33 AM - edited Aug 12 2022 09:36 AM
Windows 10 Settings > Windows Security > Open Windows Security > Click "Check for Updates" under Virus & threat protection updates.
Edit: So far the updated definition has not helped we are now seeing improvements, however it seems like they are still making adjustments.
Aug 12 2022 01:58 PM
Aug 15 2022 01:07 AM
Aug 15 2022 01:50 AM
SolutionAug 15 2022 05:45 AM
Aug 16 2022 03:51 AM
Aug 16 2022 05:13 AM
Jan 16 2024 12:12 AM