Nov 18 2021 02:04 PM
Nov 18 2021 02:04 PM
A recent upgrade to Windows Defender Advanced Threat Protection (ATP) has completely stopped our company's Excel add-in working.
This appears to be a result of Attack Surface Reduction (see Use attack surface reduction rules to prevent malware infection | Microsoft Docs), and it appears that something has changed in these rules in a recent update which is preventing our Excel add-in (and others we believe too) from working.
This is a disaster for our business, as our add-in has worked for over 10 years around the world and never been blocked/disabled by Windows Defender before.
The solution appears to be customizing attack surface reduction rules to create an exemption for our add-in (https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/customize-attack-surface-r..., but most of our large clients are either taking time to do this, don't know how, or are concerned about creating exemptions.
Is this a bug in a recent update to Windows Defender ATP Attack Surface Reduction? And if so is Microsoft planning to address this?
If not, can Microsoft please explain what has changed in Windows Defender ATP Attack Surface Reduction that's caused this issue and how we're supposed to change our code base to prevent ongoing disruptions going forward.
This is a devastatingly serious issue for our business, and I'm sure we're not alone, so a prompt and detailed response would be greatly appreciated.
Nov 23 2021 06:23 AM
We have had the exact same problem as you where an add-in just stopped working. What's worse is that it causes excel to constantly crash probably because ATP tries and stopping files loading and throws the whole program off.
Worse still I have been trying to get the exceptions working and it provides no results.
Nov 23 2021 03:24 PM
Nov 23 2021 04:51 PM
Agreed, it would be one thing too if the exclusions were working. Some searching on the internet and this was the only complaint that I have found that fits the situation we are describing. I also found that my exclusions in Defender and then the Intune Policies do not carry over. Currently trying to do the same for some folder paths in Intune Policies under the Microsoft Defender Exploit Guard. Why there would be two ways to do the same thing I do not know. So far no luck though as it is still being blocked and then excel itself crashes and freezes.
I am at the point of disabling the block on Win32 API calls but I really really don't want to do that and I doubt it would even fix anything. Probably Microsoft people wont even see this thread...
Nov 24 2021 01:27 PM