Mar 09 2023 07:30 AM
Does anybody have knowledge or link to more detail on how the ASR rule - ' Block executable files from running unless they meet a prevalence, age, or trusted list criterion' actually works ?
I understand it leverages Cloud delivered protection, so assuming when an exe is run, it is checked against MS DB somewhere (assuming not local but cloud) and a decision passed back to allow or not.?
Is there any degree of 'learning' going on? Reason I ask is we have been testing creating some exe's that appear to be blocked the day they are created, but the following day mysteriously they appear to be allowed to run. Is this expected and working as intended or do we have something broken ? Have these tiny exe's we created been assessed and now added to allowed ?
Need to understand what is going on a bit under the hood so we can make decisions on implementing this rule.
Also...what happens if the client ( a laptop) does not have internet access to leverage the cloud protection at point of exe run ?
Mar 09 2023 08:38 AM
Mar 10 2023 02:02 AM