Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

ASR rule exclusion issue

Copper Contributor

It looks like i cannot get ASR exclusions to works for files on my Network Shares. It works fine for local files. Investigating further i found the block was happening at the local level:
Path: C:\Users\*\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B39EF45B.xlsm (eventID1121)

This above location is where the network file is opened from on the local device.

Can someone confirm the network share exclusions do not work?

 

3 Replies
Attack surface reduction rules only work on devices with the following conditions:
Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update).
Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. Using any other antivirus app will cause Microsoft Defender Antivirus to disable itself.
Real-time protection is enabled.
Audit mode isn't enabled. Use Group Policy to set the rule to Disabled (value: 0) as described in Enable attack surface reduction rules.
If these prerequisites have all been met, proceed to the next step to test the rule in audit mode.

@SABBIR_RUBAYAT These conditions are being met - rules are in block mode. But still the network files are being blocked. Local file exclusions work fine

In this case can you please follow below article marches with your query or not ?
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-extension-file-...
Can you be more specific on file type file location and your ASR policy and exclusion type ?