Antivirus exclusions and ASR

From working with customers we commonly get questions about exclusions for ASR and the impact of the exclusions or when it will work or not.

Indicators in MDE does work for ASR, but not all Indicator types. Defender Antimalware exclusions does work for ASR, but not all rules honor the exclusions. Here are a few tables from learn which can help you with this:

Rules which does not honor Defender Antivirus exclusions

  • Block Adobe Reader from creating child processes
  • Block process creations originating from PSExec and WMI commands
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  • Block Office applications from creating executable content
  • Block Office applications from injecting code into other processes
  • Block Office communication application from creating child processes

Rules which does not honor Defender for Endpoint (MDE) Indicators of type Certificate

  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  • Block Office applications from injecting code into other processes
  • Block Win32 API calls from Office macros

For further information about attack surface reduction, please visit https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction

Happy Hunting!

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.