Forum Discussion
Solved
ASR - Behavior Changes - Blocking under User Context Now?
Since July 7-27-2022 I have been seeing around 40 of 1800 machines in my work environment that are showing blocks under %userprofile% or usercontext for .dll blocks. This is new behavior and is rece...
- I've so far only managed to check on one endpoint that was having the issue, However it's Security Intelligence Version updated to 1.373.383.0 this morning and it is no longer showing any symptoms of the problem. So early signs are encouraging that this may be fixed.
Seeing same but I’m also getting dlls blocked in Outlook.
Yup Com add-in's are DLL's and are also blocked for me when this ASR rule is set to block.
- Still getting a few more machines affected each day. I created a group in MEM for the affected machines and tried to exclude that group from our dynamic "all devices" group to which the ASR policy is applied, then created a similar policy for the excluded devices that audits rather than blocks when the executable content trigger is detected. But I'm not seeing any change in behavior on the devices or even any evidence that they are being properly excluded from the primary policy.
Still no useful information from Microsoft support, although they assure me that they're working on it.- Received an update my case is being reviewed by the ASR/WDSL (Maybe WDSI) teams. All of the additional comments have been very helpful. If anyone else has any comments please add!
