Tag Archive: Attack Surface Reduction

Antivirus exclusions and ASR

From working with customers we commonly get questions about exclusions for ASR and the impact of the exclusions or when it will work or not.

Indicators in MDE does work for ASR, but not all Indicator types. Defender Antimalware exclusions does work for ASR, but not all rules honor the exclusions. Here are a few tables from learn which can help you with this:

Rules which does not honor Defender Antivirus exclusions

  • Block Adobe Reader from creating child processes
  • Block process creations originating from PSExec and WMI commands
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  • Block Office applications from creating executable content
  • Block Office applications from injecting code into other processes
  • Block Office communication application from creating child processes

Rules which does not honor Defender for Endpoint (MDE) Indicators of type Certificate

  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  • Block Office applications from injecting code into other processes
  • Block Win32 API calls from Office macros

For further information about attack surface reduction, please visit https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction

Happy Hunting!

New ASR Rules available

There 2 new ASR (Attack Surface Reduction Rules) available.

Attack Surface Reduction Rules is a Defender feature which, as it sounds, reduces attack surface on endpoints. This is done by blocking certain attack surfaces like “Block all Office applications from creating child processes”, “Block untrusted and unsigned processes that run from USB” and more, there are 19 rules available today. Two of which are in preview.

The great thing about ASR is that it closes some attack paths, instead of relying on Antivirus or EDR to detect on the malicious code or behavior since these changes all the time.

The new rules:

Block rebooting machine in Safe Mode (preview)

GUID: 33ddedf1-c6e0-47cb-833e-de6133960387

This rule prevents the execution of commands to restart machines in Safe Mode.

Safe Mode is a diagnostic mode that only loads the essential files and drivers needed for Windows to run. However, in Safe Mode, many security products are either disabled or operate in a limited capacity, which allows attackers to further launch tampering commands, or simply execute and encrypt all files on the machine. This rule blocks such attacks by preventing processes from restarting machines in Safe Mode.

Block use of copied or impersonated system tools (preview)

GUID: c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb

his rule blocks the use of executable files that are identified as copies of Windows system tools. These files are either duplicates or impostors of the original system tools.

Some malicious programs may try to copy or impersonate Windows system tools to avoid detection or gain privileges. Allowing such executable files can lead to potential attacks. This rule prevents propagation and execution of such duplicates and imposters of the system tools on Windows machines.

Please note that since these 2 new rules are in preview, additional upgrades to improve efficacy are under development

Happy Hunting!