cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

ASR - Behavior Changes - Blocking under User Context Now?

brink668
Brass Contributor

‎Aug 02 2022 05:50 PM - edited ‎Aug 02 2022 05:54 PM

‎Aug 02 2022 05:50 PM - edited ‎Aug 02 2022 05:54 PM

ASR - Behavior Changes - Blocking under User Context Now?

Since July 7-27-2022
I have been seeing around 40 of 1800 machines in my work environment that are showing blocks under %userprofile% or usercontext for .dll blocks. This is new behavior and is recent.  All of our machines have the same ASR rule applied, I checked on the machines via registry and their ASR rules are the same.

 

ASR Rule/Example Path - that is having this issue

Block executable content from email client and webmail
GUID: be9ba2d9-53ea-4cdc-84e5-9b1eeee46550
Path: %userprofile%\AppData\Local\Assembly\tmp*variousfilesandpaths.dll


Did this behavior change, is this a preview of a new feature or is this a bug? I am afraid this may spread to more machines.

 

We have E5 License and an MS Ticket Open as well.  Hoping someone hear knows something as well.

16.5K Views
1 Like
52 Replies
Reply
52 Replies
TakedaShingen

‎Aug 12 2022 07:24 AM

‎Aug 12 2022 07:24 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

so for us microsoft replied:
"WDSI Security Intelligence team have gotten back to me and provided the following solution:
We have reviewed the reported issue, and this is known issue
• And regarding ASR issues related to Block executable content from email client and webmail we have provided global fix. The changes will be reflected in the security intelligence version 1.373.181.0 or above. So, we request you to update to the latest security intelligence version and verify the issue. "
so after updating a problem client indeed it changed. we get an all new error message and block event in the defender report.

0 Likes
Reply
David Schrag

‎Aug 12 2022 07:37 AM

‎Aug 12 2022 07:37 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

I suppose I should know this, but how exactly do you get the updated security intelligence version?
0 Likes
Reply
apr23

‎Aug 12 2022 08:45 AM

‎Aug 12 2022 08:45 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

Good to know, i did not get any events in the last hours, but lot people are probably enjoying the weekend already.

 

@David Schrag 

To check which version is installed on the computer, run the following Powershell Command:
Get-MpComputerStatus | fl *version*

 

To force an update of the signatures, run the following commands in an elevated command prompt (source: https://www.microsoft.com/en-us/wdsi/defenderupdates:( 

cd %ProgramFiles%\Windows Defender
MpCmdRun.exe -removedefinitions -dynamicsignatures
MpCmdRun.exe -SignatureUpdate

 

0 Likes
Reply
David Schrag

‎Aug 12 2022 08:58 AM

‎Aug 12 2022 08:58 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

Thanks. On what sort of cycle will the signatures get updated automatically?
0 Likes
Reply
shend141

‎Aug 12 2022 09:03 AM

‎Aug 12 2022 09:03 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

We considered switching from Block to Audit Only mode but since the number of incidents have vastly reduced and on a downward spiral we will stay in Block mode for now to maintain a balance between security and productivity by resolving any new incidents with file hash rules reactively.
0 Likes
Reply
brink668

‎Aug 12 2022 09:33 AM - edited ‎Aug 12 2022 09:36 AM

‎Aug 12 2022 09:33 AM - edited ‎Aug 12 2022 09:36 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

@David Schrag 

 

Windows 10 Settings > Windows Security > Open Windows Security > Click "Check for Updates" under Virus & threat protection updates.

 

Edit: So far the updated definition has not helped we are now seeing improvements, however it seems like they are still making adjustments.

 

brink668_0-1660321973276.png

 

 

 

0 Likes
Reply
Intune_Support_Team

‎Aug 12 2022 01:58 PM

‎Aug 12 2022 01:58 PM

Re: ASR - Behavior Changes - Blocking under User Context Now?

Thanks for the report! We were alerted to this thread out on Twitter and wanted to share that we’ve connected with our friends on the Defender for Endpoint team and confirmed that a signature update will be rolled out over the next few hours to resolve this issue.
0 Likes
Reply
TakedaShingen

‎Aug 15 2022 01:07 AM

‎Aug 15 2022 01:07 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

ok to finish our experience: after 2 more fixes from microsoft we seem to be fine now
some users that had problems dont have them anymore
in reports -> ASR rules i also dont see any more blocks of our 3rd party software in "block exe content from email and webmail" so bit early to be sure but for now it looks like all is fixed for us
0 Likes
Reply
best response confirmed by brink668 (Brass Contributor)
FTurp

‎Aug 15 2022 01:50 AM

‎Aug 15 2022 01:50 AM

Solution

Re: ASR - Behavior Changes - Blocking under User Context Now?

I've so far only managed to check on one endpoint that was having the issue, However it's Security Intelligence Version updated to 1.373.383.0 this morning and it is no longer showing any symptoms of the problem. So early signs are encouraging that this may be fixed.
0 Likes
Reply
brink668

‎Aug 15 2022 05:45 AM

‎Aug 15 2022 05:45 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

This looks fully resolved now with Security Intelligence Definitions Version being 1.373.383.0
0 Likes
Reply
shend141

‎Aug 16 2022 03:51 AM

‎Aug 16 2022 03:51 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

Since Microsoft rolled out 1.373.383.0 released 8/15/2022 3:28:43 AM (I'm currently on 6 versions higher than 383: 410>421>435>449>452>460), ASR detections have certainly fallen which is a good sign, but we’re still seeing some detections for safe/known DLL such as iManage, Acrobat etc.

We can carry out manual Defender updates and reboots. In the meantime, can you advise if we need to do anything else to remove these false-positive detections please?
0 Likes
Reply
brink668

‎Aug 16 2022 05:13 AM

‎Aug 16 2022 05:13 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

I did not need to make any other modification in my test OU. I had removed all the DLL exclusions from my whitelist which I originally applied at the start of this issue.

You may need to review your ASR rules though and see if other rule types are causing the block, then in that case you may still need to create special exclusions for that.

1 Like
Reply
itayp7

‎Jan 16 2024 12:12 AM

‎Jan 16 2024 12:12 AM

Re: ASR - Behavior Changes - Blocking under User Context Now?

Hi, I'm using Windows beta and getting this error again in version 1.403.2224.0,
could that be a possible regression?
0 Likes
Reply