Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
SOLVED

ASR rule "Block Win32 API calls from Office macro Block XLS

Brass Contributor

Hi All, we have deploy defender for Endpoint in customer organization and the rule "ASR rule "Block Win32 API calls from Office macro" block old version of Excel with macro, we set exclusion for a path that contain this file but problem persist.

If we convert this file into new version of Excel problem not appears, there is a solution for this problem or we need to convert all files into new version ?

 

Many Thanks

 

Guido

2 Replies
best response confirmed by gaudium91 (Brass Contributor)
Solution
Have a look in the Defender logs - i found that once you've unblocked the original file location, Excel starts processing the macros using the local user profile 'Content.MSO' folder, so then you have to consider whether you feel you can unblock that location as well. Not ideal from a security perspective.
Interesting that you found that upgrading the Excel file version made a difference, do you have more details on that?
Hello, nice of "Content.MSO" folder, tomorrow i check with customer and defender log and report to this post.
I let you know.
Many Thanks
Guido
1 best response

Accepted Solutions
best response confirmed by gaudium91 (Brass Contributor)
Solution
Have a look in the Defender logs - i found that once you've unblocked the original file location, Excel starts processing the macros using the local user profile 'Content.MSO' folder, so then you have to consider whether you feel you can unblock that location as well. Not ideal from a security perspective.
Interesting that you found that upgrading the Excel file version made a difference, do you have more details on that?

View solution in original post