We configured all ASR rules to "Audit mode" to see what would have been blocked in the last few days. The following rules stick out:
Block Office communication application from creating child processes: here basically one app (detected file is a pdf reader) creates a few hundred detections per day. This pdf reader app is triggered by Outlook (source app) in 99% of the cases. I assume this is because opening attachments in an email opens the pdf reader. This does not look malicious. Am I right to assume that I should white list the app before enabling this rule in "Block mode"? Also: should Outlook or the pdf reader be added to the exclusions?
Block credential stealing from the Windows local security authority subsystem (lsass.exe): a few hundred detections happen here by all kinds of source apps (e.g. Taskmgr.exe, DropboxUpdate.exe,svchost.exe, ...). Detected file is lsass.exe. Is there anything to whitelist here, or should I just enable the rule in "Block mode"? What will the impact on the user machine look like?
Block Office applications from injecting code into other processes: only office applications are listed as source app (Word, Excel, PowerPoint), but the detected file is always a specific document, e.g. Document1.xlsx or PowerPoint2.pptx. There are like 30 detections in the last week. What action is exactly causing an office application to inject code into other processes? Is it safe to enable this rule in "Block mode"?
Block executable files from running unless they meet a prevalence, age, or trusted list criteria: here I can see detections when users are installing something on their machine, e.g. Setup.exe or Webex.exe. I understand, that if I enable this rule, those installations will fail. How should I define trusted list criteria in order to allow some of those executables? I cannot just whitelist C:\Users\User1\Desktop\Setup.exe because I don't know how the names of all those Setup.exe files are called. What method is there to define which executable is allowed?
