Forum Discussion
Solved
ASR - Behavior Changes - Blocking under User Context Now?
Since July 7-27-2022 I have been seeing around 40 of 1800 machines in my work environment that are showing blocks under %userprofile% or usercontext for .dll blocks. This is new behavior and is rece...
- I've so far only managed to check on one endpoint that was having the issue, However it's Security Intelligence Version updated to 1.373.383.0 this morning and it is no longer showing any symptoms of the problem. So early signs are encouraging that this may be fixed.
Hi brink668,
I haven't observed this kind of behavior in the field with this specific ASR rule. Mostly, when specific executions or write actions are being blocked in the user space (C:\Users\%username%\*) it's because of the ASR rule Enable Controlled Folder Access.
The ASR rule Block executable content from email client and webmail is blocking .exe, dll or .scr files it's most likely that these files are being executed from Microsoft Outlook, Outlook.com or other popular webmail providers (see: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-executable-content-from-email-client-and-webmail).
Have you already checked which process has initiated the execution of the particular .dll files? Is it possible that you're running a new add-on in Microsoft Outlook or something which is trying to execute files?
Thx for the reply.
the issue is the ASR rule as described in my post. Outlook.exe is the initiating process but per documentation and all the other of my 1760 machines the ASR rule is applying to System Context and as a result does NOT block or take action on %userprofile% variables .
However on 40 of the machines the ASR rule is applying to user context or %userprofile% variable.
controlled folder access is in Audit Mode
