Windows Defender ATP suddenly stopping Office add-ins from loading

Copper Contributor

Hi Guys,

 

A recent upgrade to Windows Defender Advanced Threat Protection (ATP) has completely stopped our company's Excel add-in working.

 

This appears to be a result of Attack Surface Reduction (see Use attack surface reduction rules to prevent malware infection | Microsoft Docs), and it appears that something has changed in these rules in a recent update which is preventing our Excel add-in (and others we believe too) from working.

 

This is a disaster for our business, as our add-in has worked for over 10 years around the world and never been blocked/disabled by Windows Defender before.

 

The solution appears to be customizing attack surface reduction rules to create an exemption for our add-in (https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/customize-attack-surface-r..., but most of our large clients are either taking time to do this, don't know how, or are concerned about creating exemptions.

 

Is this a bug in a recent update to Windows Defender ATP Attack Surface Reduction? And if so is Microsoft planning to address this?

 

If not, can Microsoft please explain what has changed in Windows Defender ATP Attack Surface Reduction that's caused this issue and how we're supposed to change our code base to prevent ongoing disruptions going forward.

 

This is a devastatingly serious issue for our business, and I'm sure we're not alone, so a prompt and detailed response would be greatly appreciated.

 

Thanks, Michael.

5 Replies

@modano 

 

We have had the exact same problem as you where an add-in just stopped working. What's worse is that it causes excel to constantly crash probably because ATP tries and stopping files loading and throws the whole program off.

 

Worse still I have been trying to get the exceptions working and it provides no results.

It's a disaster for us @levyfel.

It's now impacting all of our largest users and we cannot find any rational or explanation from Microsoft anywhere as to why this chance has been implemented and how we can address it, or whether it's a mistake that will be reversed in a future Windows Defender update.

Very frustrating and damaging stuff...

@modano 

 

Agreed, it would be one thing too if the exclusions were working. Some searching on the internet and this was the only complaint that I have found that fits the situation we are describing. I also found that my exclusions in Defender and then the Intune Policies do not carry over. Currently trying to do the same for some folder paths in Intune Policies under the Microsoft Defender Exploit Guard. Why there would be two ways to do the same thing I do not know. So far no luck though as it is still being blocked and then excel itself crashes and freezes. 

 

I am at the point of disabling the block on Win32 API calls but I really really don't want to do that and I doubt it would even fix anything. Probably Microsoft people wont even see this thread...

We're now trying removing the Win32 API calls from the VBA add-in within our broader platform as we're hoping this is all that's causing the block.

Would be great to understand why it's suddenly popped up though.

@modano After a while did Your company finde a solution? Adding the add as a trusted location helped but not for long.  I tried to convince our Admin to make our add-is an exception to Defender ,but No luck.