cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ASR exclusion via GPO not working as expected

abl-bgd
Copper Contributor

‎Mar 08 2024 12:45 PM

‎Mar 08 2024 12:45 PM

ASR exclusion via GPO not working as expected

I have a group of users who is attempting to open attachments in outlook that run from a specific program and the ASR rule "Block only Office communication applications from creating child processes" is blocking this action.  We are using GPO for management and I attempted to create a GPO exclusion to cover the listed "Affected items" exe using the exact path to the exe, but that does not appear to have worked.

 

The documentation in the GPO suggests using "0" for the value and "filepath", but then I just found a reference at Implement attack surface reduction rules | Microsoft Learn stating "Do not use quotes as they are not supported..." under the "Use group policy to exclude files and folders" section.  Which one is right?  use quotes on value and value name, don't use quotes anywhere, a mix of the two, or it doesn't matter either way?

 

I also just came across Attack surface reduction rules reference | Microsoft Learn which mentions "The following ASR rules DO NOT honor MS Defender AV exclusions:" and in there, it lists the Block office communication application from creating child processes.

 

So...  is it possible to make this exclusion so I don't trigger this ASR rule?

298 Views
0 Likes
2 Replies
Reply
2 Replies
AdelAlDabbas

‎Mar 09 2024 10:04 AM

‎Mar 09 2024 10:04 AM

Re: ASR exclusion via GPO not working as expected

Hello @abl-bgd,

 

First, it is recommended to go through "How do I know what I need to exclude?" section here: Attack surface reduction frequently asked questions (FAQ) | Microsoft Learn

 

If you are using GPO, do not use quotes as advised here: Implement attack surface reduction rules | Microsoft Learn

 

ASR exclusions are independent from Microsoft Defender Antivirus exclusions. However, Microsoft Defender Antivirus exclusions do apply to some attack surface reduction rules. This specific rule doesn't honor AV exclusions.

In other words, if you define the exclusion using this method:  Configure and validate exclusions based on extension, name, or location | Microsoft Learn it will not work. You will need this: Implement attack surface reduction rules | Microsoft Learn

 

Note: Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Excluded files will be allowed to run, and no report or event will be recorded. 

 

0 Likes
Reply
abl-bgd

‎Mar 11 2024 05:59 AM

‎Mar 11 2024 05:59 AM

Re: ASR exclusion via GPO not working as expected

@AdelAlDabbas 

 

Thanks for that confirmation.  The GPO itself has documentation that appears to imply that a quote should be used, but it wasn't working which is what brought me here.  

 

ablbgd_0-1710161900083.png

 

0 Likes
Reply