Create indicators based on certificates - Troubleshooting - Confirmin the Allow rule

Brass Contributor

Hi People

 

We have someones self created Tools (exe, macro ect...) and we want to singing it to baypass the ASR Rules.  

 

Accourding the announcement  Indicators enhancements: Allow/Block by certificates & more - Microsoft Tech Community  and documentation Create indicators based on certificates | Microsoft Docs should be possible. 🙂

 

I am first test it in one Excel Macro who is blocked bei Block the "Win32 API calls from Office macros" Rule. The Macro was signed and I can open the Document.... but filled 99%, not 100%....

 

About this 1% when not Work: I have figuretout, that in the Share Network's and also in the OneDrive Sync Folder, ins this place the File will also blocked :(. 

 

and my Question is, how, where I can reproduce, see that the File was "allow" because of this Certificate in the indicator...?

I see clary that the 1% when the File is blocked, and also a copy of the same file who is not signed, in the Event Viewer or in the MS 36 Defender Portal...... Time Line... hier is all good.

 

But when it works, how i can confirm that is becase I have this Certificate in the Indicators/ Allow....? 

 

note: all prerequisite are in place

 

Br

Mela

0 Replies