Forum Discussion

brink668's avatar
brink668
Brass Contributor
Aug 03, 2022
Solved

ASR - Behavior Changes - Blocking under User Context Now?

Since July 7-27-2022 I have been seeing around 40 of 1800 machines in my work environment that are showing blocks under %userprofile% or usercontext for .dll blocks. This is new behavior and is rece...
  • FTurp's avatar
    FTurp
    Aug 15, 2022
    I've so far only managed to check on one endpoint that was having the issue, However it's Security Intelligence Version updated to 1.373.383.0 this morning and it is no longer showing any symptoms of the problem. So early signs are encouraging that this may be fixed.
David Schrag's avatar
David Schrag
Iron Contributor
Aug 05, 2022
Happening to us to, since around the same date. Exactly as you describe. Affecting two out of ~50 users so far. No additional insight to offer. Any news from your ticket?
brink668's avatar
brink668
Brass Contributor
Aug 05, 2022

David Schrag 

 

Issue persists and microsoft support is reviewing logs/traces.  MS Docs team advised to me that they are not aware of any new behavior changes to ASR so this sounds like a possible bug.  I will let you know if I find anything else out.  I will be uploading more logs but the number of machines in my environment that is effected has grown to around 180 of 1800 so it is spreading but not sure what the root cause is yet.

  • David Schrag's avatar
    David Schrag
    Iron Contributor
    Aug 05, 2022

    brink668 Is it your experience that on unaffected machines, add-in behavior is associated with %appdatalocal%\assembly\dl3, but on affected machines the path is %appdatalocal%\assembly\tmp? That's what it looked like to me comparing ProcMon output from two different computers. My hypothesis is that something causes a switch from the normal dl3 folder to the tmp folder and the ASR rules see the latter but not the former as a threat. I am definitely working at the outer limits of my familiarity with how .NET and Windows applications work, though.

    • brink668's avatar
      brink668
      Brass Contributor
      Aug 05, 2022
      In some regards that is similiar to what I see of the DL3 folder, though in historical logs prior to 7-27 the same DLL shows no ASR action on it and instead shows AntivirusReport.

      #Example // Prior to 7-27-2022
      C:\Users\<username>\AppData\Local\assembly\tmp\BJ1O086W\Newtonsoft.json.dll
      Action = AntivirusReport (No ASR)

      #Example // After 7-27-2022
      C:\Users\<username>\AppData\Local\assembly\tmp\BJ1O086W\Newtonsoft.json.dll
      Action = AsrExecutableEmailContentBlocked (ASR takes action)
      • David Schrag's avatar
        David Schrag
        Iron Contributor
        Aug 08, 2022
        Any news on your end? I've opened a MS ticket as well, but no insight yet. As of this morning we have a third computer affected.

Resources