Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

ASR Rule Blocking ms-teams.exe

Brass Contributor

Hi,

 

We have seen the ASR Rule for, 'Block Office communication application from creating child processes' start to block ms-teams.exe, this morning which is causing quite a lot of issues in the estate.

 

The current workaround is to set the ASR Rule of, 'Block Office communication application from creating child processes', to Audit Mode instead of Block Mode.

This has also been mentioned by a couple of people now on Twitter, so is MS aware of this issue and do you know when a fix may be in place for this, so I can safely move the ASR Rule back to Block Mode

7 Replies
Why don't you just make an exclusion for this so it's fixed permanently right away instead of a workaround?
I am also seeing the same issue with some of my users.
Yes, I’ve taken the same steps, assuming it might be related to a specific version of Teams.

Regarding notifications for known issues, is there a way to subscribe to a newsletter or receive notifications about such issues?
We had the same issue, but now everything it is working again. In case you have Defender XDR, via advanced hunting you can see how big the impact was.
Query:
DeviceEvents
| where ActionType startswith 'Asr' and ActionType startswith "AsrOffice" and FileName == "ms-teams.exe"
| order by Timestamp
Query end.
Personally I think it was a bad Endpoint protection signature update. But now everything is back to normal.
Regards Raphi
Yep, the fix was added yesterday by MS on Security Intelligence version 1.415.13.0 so have reverted all changes since
Is there a official statement from MS? Haven't seen anything....

@raphael1974 

 

They added a notification in the Message Centre on Issue ID: DZ809811 yesterday at 16:48hrs GMT (UK time)

 

Root Cause:

 

A recent service update introduced a faulty signature code change that caused the ASR rules to block various actions in the Outlook desktop client.

 

Brok3NSpear_0-1720617340140.png