Forum Discussion
ASR rule exclusion issue
It looks like i cannot get ASR exclusions to works for files on my Network Shares. It works fine for local files. Investigating further i found the block was happening at the local level:
Path: C:\Users\*\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B39EF45B.xlsm (eventID1121)
This above location is where the network file is opened from on the local device.
Can someone confirm the network share exclusions do not work?
- Attack surface reduction rules only work on devices with the following conditions:
Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update).
Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. Using any other antivirus app will cause Microsoft Defender Antivirus to disable itself.
Real-time protection is enabled.
Audit mode isn't enabled. Use Group Policy to set the rule to Disabled (value: 0) as described in Enable attack surface reduction rules.
If these prerequisites have all been met, proceed to the next step to test the rule in audit mode.SABBIR_RUBAYAT These conditions are being met - rules are in block mode. But still the network files are being blocked. Local file exclusions work fine
- In this case can you please follow below article marches with your query or not ?
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus?view=o365-worldwide
Can you be more specific on file type file location and your ASR policy and exclusion type ?
