Forum Discussion

brink668's avatar
brink668
Brass Contributor
Aug 03, 2022
Solved

ASR - Behavior Changes - Blocking under User Context Now?

Since July 7-27-2022 I have been seeing around 40 of 1800 machines in my work environment that are showing blocks under %userprofile% or usercontext for .dll blocks. This is new behavior and is rece...
  • FTurp's avatar
    FTurp
    Aug 15, 2022
    I've so far only managed to check on one endpoint that was having the issue, However it's Security Intelligence Version updated to 1.373.383.0 this morning and it is no longer showing any symptoms of the problem. So early signs are encouraging that this may be fixed.
David_Smith040's avatar
David_Smith040
Copper Contributor
Aug 09, 2022

Hi!

I got your email from Github so replying to you here. We have the same issue starting around your dates also, not sure exactly what has caused it but not all machines are affected.
After reviewing a few queries I ran in Advanced Hunting I found that the ASR rule "Block executable content from email client and webmail" GUID "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" is causing some conflict with the Outlook sign-in and also some COM add-in's.

I am deploying the ASR rules from InTune, unsure if deploying from GPO would help.

 

Paths are from the users %localappdata%\Microsoft\Windows\INetCache\IE\<Folderchanges per file>\

 

Files listed as below:

jquery-1.12.4.1.min[1].js
hrd.min[1].js
jsonstrings[1].js
jquery-1.12.4.1.min[1].js
CommonDiagnostics[1].js
knockout-3.4.2[1].js

 

Action Type:

AsrExecutableEmailContentBlocked

 

Advanced hunting query - security.microsoft.com:

DeviceEvents | where ActionType startswith "ASR"
 
I have disabled this ASR rule for now as I guessed this is a bug rather than a feature.
 
Hope this helps!

 

 

  • brink668's avatar
    brink668
    Brass Contributor
    Aug 09, 2022
    Seeing same but I’m also getting dlls blocked in Outlook.
    • David_Smith040's avatar
      David_Smith040
      Copper Contributor
      Aug 09, 2022
      Yup Com add-in's are DLL's and are also blocked for me when this ASR rule is set to block.
      • David Schrag's avatar
        David Schrag
        Iron Contributor
        Aug 09, 2022
        Still getting a few more machines affected each day. I created a group in MEM for the affected machines and tried to exclude that group from our dynamic "all devices" group to which the ASR policy is applied, then created a similar policy for the excluded devices that audits rather than blocks when the executable content trigger is detected. But I'm not seeing any change in behavior on the devices or even any evidence that they are being properly excluded from the primary policy.

        Still no useful information from Microsoft support, although they assure me that they're working on it.

Resources