ASR Rules - Outlook Spawning Child Process

%3CLINGO-SUB%20id%3D%22lingo-sub-358179%22%20slang%3D%22en-US%22%3EASR%20Rules%20-%20Outlook%20Spawning%20Child%20Process%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-358179%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20an%20internal%20Telephony%20application%20that%20uses%20a%20%22non-standard%22%20communication%20protocol%20(BTBC).%20When%20a%20meeting%20request%20is%20sent%20via%20email%2C%20it%20presents%20a%20link%20that%20is%20prefixed%20by%20BTBC%3A%2F%2F%20which%20then%20spawns%20the%20telephony%20app.%3CBR%20%2F%3EWe%20have%20had%20to%20register%20the%20BTBC%20protocol%20as%20trusted%20so%20as%20not%20to%20run%20into%20an%20Outlook%20Security%20Warning%20but%20the%20ASR%20rule%2026190899-1602-49e8-8b27-eb1d0a1ce869%20blocks%20the%20spawning%20of%20the%20process%3CBR%20%2F%3EIs%20it%20possible%20to%20exclude%20only%20the%20telephony%20from%20being%20prevented%20from%20being%20spawned%20or%20would%20the%20exclusion%20need%20to%20apply%20to%20the%20Outlook%20process%3F%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-392049%22%20slang%3D%22en-US%22%3ERe%3A%20ASR%20Rules%20-%20Outlook%20Spawning%20Child%20Process%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-392049%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186974%22%20target%3D%22_blank%22%3E%40Chris%20Boggs%3C%2FA%3E%26nbsp%3B-%20Oh%2C%20I%20see!%20Well%2C%20I%20still%20believe%20I%20could%20have%20worded%20the%20question%20better%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGood%20to%20have%20my%20findings%20verified%2C%20thanks%20for%20posting.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-392042%22%20slang%3D%22en-US%22%3ERe%3A%20ASR%20Rules%20-%20Outlook%20Spawning%20Child%20Process%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-392042%22%20slang%3D%22en-US%22%3EAh%2C%20sorry%2C%20didn't%20mean%20to%20imply%20you%20worded%20your%20question%20poorly%20-%20I%20meant%20to%20say%20we%20had%20the%20same%20question%20when%20we%20were%20needing%20to%20make%20our%20first%20exclusion%20and%20couldn't%20find%20a%20definite%20answer%20in%20the%20docs%20-%20so%20we%20tested%20it%20ourselves.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-392041%22%20slang%3D%22en-US%22%3ERe%3A%20ASR%20Rules%20-%20Outlook%20Spawning%20Child%20Process%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-392041%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186974%22%20target%3D%22_blank%22%3E%40Chris%20Boggs%3C%2FA%3E%26nbsp%3B-%20appreciate%20the%20reply%20and%20also%20appreciate%20that%20my%20question%20wasn't%20worded%20particularly%20eloquently%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20be%20honest%2C%20I%20guess%20I%20kind%20of%20the%20knew%20the%20answer%20to%20the%20question%20but%20just%20needed%20confirmation%20for%20the%20business%20more%20than%20anything%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391999%22%20slang%3D%22en-US%22%3ERe%3A%20ASR%20Rules%20-%20Outlook%20Spawning%20Child%20Process%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391999%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F273772%22%20target%3D%22_blank%22%3E%40DannyC_Gamma%3C%2FA%3E%26nbsp%3BMaybe%20this%20has%20already%20been%20resolved%2C%20but%20the%20exclusions%20should%20target%20the%20file%20that%20would%20be%20the%20child%20process%20started%20by%20Outlook%2C%20in%20the%20case%20of%20your%20situation.%20The%20docs%20linked%20weren't%20very%20clear%20on%20that%20before%2C%20and%20we%20were%20a%20bit%20confused%20by%20the%20language%2C%20so%20we%20tested%20it%20ourselves.%26nbsp%3B%20I%20think%20the%20docs%20may%20have%20been%20updated%20a%20little%20since%20then.%3CBR%20%2F%3E%3CBR%20%2F%3EIt%20does%20explain%20that%20exclusions%20apply%20across%20all%20rules%2C%20however%20-%20so%20you%20can't%20exclude%20a%20file%20only%20for%20a%20specific%20rule.%26nbsp%3B%20I'm%20not%20sure%20there%20is%20a%20scenario%20where%20a%20file%20would%20really%20need%20one%20ASR%20blocked%20activity%20but%20not%20another.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExclusion%20info%20here%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-exploit-guard%2Fenable-attack-surface-reduction%23exclude-files-and-folders-from-asr-rules%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-exploit-guard%2Fenable-attack-surface-reduction%23exclude-files-and-folders-from-asr-rules%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-363453%22%20slang%3D%22en-US%22%3ERe%3A%20ASR%20Rules%20-%20Outlook%20Spawning%20Child%20Process%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-363453%22%20slang%3D%22en-US%22%3E%3CP%3EHere's%20where%20you%20will%20find%20a%20good%20start%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-atp%2Fwindows-defender-advanced-threat-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-atp%2Fwindows-defender-advanced-threat-protection%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ealso%20check%20out%20the%20tutorial%20page%20in%20the%20product%20for%20some%20cool%20DIYs%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsecuritycenter.windows.com%2Ftutorials%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecuritycenter.windows.com%2Ftutorials%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-360263%22%20slang%3D%22en-US%22%3ERe%3A%20ASR%20Rules%20-%20Outlook%20Spawning%20Child%20Process%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-360263%22%20slang%3D%22en-US%22%3E%3CP%3EA%20related%20question%20-%20we're%20licensed%20for%20O365%20E3%20but%20have%20taken%2050%20licences%20(so%20far)%20of%20Windows%20Defender%20ATP%20(I%20think%20by%20uplifting%2050%20licenses%20for%20Windows%2010%20E3%26gt%3BE5)%20-%20how%20can%20I%20access%20support%20for%20WDATP%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20try%20to%20access%20support%20via%20%3CA%20href%3D%22https%3A%2F%2Fsecuritycenter.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecuritycenter.microsoft.com%3C%2FA%3E%20I'm%20getting%20an%20error%20message%20about%20not%20having%20a%20valid%20Azure%20subscription%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20reached%20out%20to%20our%20Microsoft%20Account%20Team%20but%20had%20no%20response%20as%20yet%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-359086%22%20slang%3D%22en-US%22%3ERe%3A%20ASR%20Rules%20-%20Outlook%20Spawning%20Child%20Process%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-359086%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F11704%22%20target%3D%22_blank%22%3E%40Amitai%20Rottem%3C%2FA%3E%20is%20this%20something%20you%20can%20help%20with%20please%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

We have an internal Telephony application that uses a "non-standard" communication protocol (BTBC). When a meeting request is sent via email, it presents a link that is prefixed by BTBC:// which then spawns the telephony app.
We have had to register the BTBC protocol as trusted so as not to run into an Outlook Security Warning but the ASR rule 26190899-1602-49e8-8b27-eb1d0a1ce869 blocks the spawning of the process
Is it possible to exclude only the telephony from being prevented from being spawned or would the exclusion need to apply to the Outlook process?

Thanks

7 Replies
Highlighted

@Amitai Rottem is this something you can help with please?

Highlighted

A related question - we're licensed for O365 E3 but have taken 50 licences (so far) of Windows Defender ATP (I think by uplifting 50 licenses for Windows 10 E3>E5) - how can I access support for WDATP?

 

If I try to access support via https://securitycenter.microsoft.com I'm getting an error message about not having a valid Azure subscription?

 

I've reached out to our Microsoft Account Team but had no response as yet

Highlighted

Here's where you will find a good start

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/windows-def...

 

also check out the tutorial page in the product for some cool DIYs

https://securitycenter.windows.com/tutorials

Highlighted

@DannyC_Gamma Maybe this has already been resolved, but the exclusions should target the file that would be the child process started by Outlook, in the case of your situation. The docs linked weren't very clear on that before, and we were a bit confused by the language, so we tested it ourselves.  I think the docs may have been updated a little since then.

It does explain that exclusions apply across all rules, however - so you can't exclude a file only for a specific rule.  I'm not sure there is a scenario where a file would really need one ASR blocked activity but not another.

 

Exclusion info here:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/e...

 

Highlighted

@Chris Boggs - appreciate the reply and also appreciate that my question wasn't worded particularly eloquently :)

 

To be honest, I guess I kind of the knew the answer to the question but just needed confirmation for the business more than anything

Highlighted
Ah, sorry, didn't mean to imply you worded your question poorly - I meant to say we had the same question when we were needing to make our first exclusion and couldn't find a definite answer in the docs - so we tested it ourselves.
Highlighted

@Chris Boggs - Oh, I see! Well, I still believe I could have worded the question better :)

 

Good to have my findings verified, thanks for posting.