Sep 12 2021 01:38 AM - edited Sep 12 2021 01:43 AM
To whom it may concern,
Somebody high up in Microsoft connected with the above mentioned portal needs to look at the detection process for ASR and the report.
It is inaccurate, and although I have no doubt that the offending ASR rule being vulnerable drivers will eventually be added to SC or the templates within the appropriate sections of MEM or that these can be implemented via ADMX it sort of makes the appropriate section of the MEM portal obsolete, as its not a complete solution.
In fact I would go so far as to say that the Endpoint Security section of MEM is a botch. It is designed for Enterprise but this is not what this post is about, nor the conflicts that may result from the security baselines, SC policies, and so on. Microsoft MEM portal needs some work but that is IMHO.
Please note that I am a hobbyist but I do pay as does everyone for these reports and I have had to go to some lengths to prove that the attached report is incorrect (all my PCs are fully ASR compliant), as I have a script which pulls the ASR entries out of the registry, compiles them, and then annotates a file to the PC which I can then pull via live response (yes I am aware of diagnostics - but that only works on corporate devices not BYO). So I know that all 16 rules are applied, no matter the implementation, on all devices whether BYO or corporate.
Even some of the hunting scripts I see that are written by MVP's and those in the pentesting fraternity (blue, red or purple) are incomplete, as they don't fully take into account all the registry entries involved or the various operating systems. In a perfect world every body would be running Windows 10 or soon Windows 11 Enterprise but this is not the case.
Can somebody please fix the ASR Report in M365 Defender Portal to reflect the true nature of endpoints not what is implemented via MSDE controls or to be exact this registry entry,
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\ASRRules
As I am pretty sure after investing some time, that this is how the report bases its results
I have further work to do on Controlled Folder Access and Windows Defender exemptions but this is well posted about on LinkedIn and other media by people much smarter and with more time than me,
and I will eventually add more Ninja training to my resume but I appreciate a great deal that Ninja training is even available and the time that must be invested by individuals to make it so.
Thankyou for reading and consider this feedback that I regard highly important in a dangerous world.
Thanks.
Leon Scott
(constantly learning, interested and loves IT)
Sep 12 2021 05:37 PM
Sep 13 2021 03:22 AM
Sep 13 2021 05:40 PM
Oct 19 2021 05:22 PM