cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

ASR Exception for Block Credential Stealing rule

HignettP
Copper Contributor

‎May 17 2022 12:36 AM

‎May 17 2022 12:36 AM

ASR Exception for Block Credential Stealing rule

Hi,

We want to apply the ASR rule 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)' with exceptions for a trusted executable as the source app. However, it looks like the exceptions list only applies to the detected file, which is always lsass.exe.

Is there a way to effect an allow-list for this rule?

Thanks.

2,449 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by HignettP (Copper Contributor)
aexlz

‎May 17 2022 06:18 AM

‎May 17 2022 06:18 AM

Solution

Re: ASR Exception for Block Credential Stealing rule

This is and will always be lsass.exe, because this process is accessed from other apps to enumerate users.
Even though you see thousand of alerts there, you can put this on block most times. Not being able to enumerate users via lsass.exe does not stop 99 of 100 apps to work properly.
Test it out with on device in advance.
0 Likes
Reply
HignettP

‎Aug 15 2022 02:15 AM

‎Aug 15 2022 02:15 AM

Re: ASR Exception for Block Credential Stealing rule

Thank you Aexlz.
1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by HignettP (Copper Contributor)
aexlz

‎May 17 2022 06:18 AM

‎May 17 2022 06:18 AM

Solution

Re: ASR Exception for Block Credential Stealing rule

This is and will always be lsass.exe, because this process is accessed from other apps to enumerate users.
Even though you see thousand of alerts there, you can put this on block most times. Not being able to enumerate users via lsass.exe does not stop 99 of 100 apps to work properly.
Test it out with on device in advance.

View solution in original post

0 Likes
Reply