Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

ASR rules and Cloud Delivered Protection

Brass Contributor

Does anybody have knowledge or link to more detail on how the ASR rule - ' Block executable files from running unless they meet a prevalence, age, or trusted list criterion' actually works ?

I understand it leverages Cloud delivered protection, so assuming when an exe is run, it is checked against MS DB somewhere (assuming not local but cloud) and a decision passed back to allow or not.?

Is there any degree of 'learning' going on? Reason I ask is we have been testing creating some exe's that appear to be blocked the day they are created, but the following day mysteriously they appear to be allowed to run. Is this expected and working as intended or do we have something broken ? Have these tiny exe's we created been assessed and now added to allowed ?

Need to understand what is going on a bit under the hood so we can make decisions on implementing this rule.

Also...what happens if the client ( a laptop) does not have internet access to leverage the cloud protection at point of exe run ?

2 Replies
Cloud protection is a must and the trust list is managed by Microsoft to determine the reputation of the exe. I doubt if this can function without internet access as true for most of the Defender real time components. Some more details are available in the FAQ here - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-...
Thanks kind of what I thought, but wondered would an exe run if there was no internet access ( if it is blocked when there is internet access for example). Question being can you 'bypass' the block by disconnecting from the internet ( so the cloud cant check) run the exe, and then reconnect to the internet. I guess I can check this by trying ;)

The bigger question is, is it expected behaviour for an exe that is initially blocked ( a brand new just complied exe) to be allowed to run after some time after cloud has 'checked it'