Microsoft Defender ASR rules strip icons, app shortcuts from Taskbar, Start Menu Techies are reporting that Microsoft Defender for Endpoint attack surface reduction (ASR) rules have gone haywire and are removing icons and applications shortcuts from the Taskbar and Start Menu. The problems were first noted early today, Friday 13th, by multiple IT folk and many seem to be scratching their head as to the …
For anything that's come in via MSIExec, scrape msi install guids and then foreach loop the list through msiexec /fs.
My (extremely quick and dirty) PS code is:
$list = get-wmiobject win32_product | select identifyingnumber
foreach ($thing in $list){
msiexec /fs $thing.identifyingnumber /q
start-sleep 10}
-> 'uninstalling Microsoft Office as well'
-> 'Finally, an antivirus software is doing its job and people are complaining?'
If only it followed this up by installing LibreOffice 7 then logged in, with user's MS account, and cancelled the Office 365 subscription too.
Better still if the next definition of MS Defender, nuked Windows completely, and installed Linux.
Oh noes, the Mac guys are just opening the bags of pop-corn!
Go on, is this the year of Linux on the doorstep then?
Fuck me, when are you guys going to grow a pair and recognise Windows as a self-defeating construct!
Or do you just keep making money at 'supporting' it and sneering at everything else?
sued into oblivion for acts like this.
How is this different from those ransomware infections that stop you from doing business? How many man/woman/person hours has it taken across the globe to remove their F*k ups eh?
rule 1: Add rule to block all MS owned IP addresses to firewall.
Had 2 hours this morning with Microsoft on this informing them they had a problem and they confirmed the problem at 2:40pm. It seems that early this morning, a security policy was updated with additional ability to change the file path for Microsoft products paths for greater security. You can spot this with regression score change in this area. Resulted in the same conditions as previously approx 3 months ago where you can log into web based services, but click to run are not available. I have informed our clients to continue to run web based applications rather than changing any ASR rule to monitor, which may cause more problems than it fixes. Changing the ASR to monitor on a Friday, leaving users and systems open over the weekend where you rely on Microsoft as a single vendor is a bad decision.
Had 2 hours trying figure out what has gone wrong, shortcuts disapered, start breaking security tool as vulnurability items
turns out to be ASR at the end, running not given the ability to even stop the services. unless rebooted with the ASR off.
ended up removing and reinstalling the Office suite again.
This kind of attitude is the problem, not the cure. Security people reducing attack surface to the point that nobody can do any work is a real problem these days. Hopefully they'll be the first to go once the redundancies start.
Turning this off doesn't pose a risk at all. It's not catching issues, it's catching potential routes for someone to create an issue (that so far were never actually taken advantage of). If you go home, productivity at your business will go up.
This is a right PITA as it has removed 3rd party shortcuts used to start data acquisition software on our machines. My users aren't software bods and don't appreciate having their work disrupted. I'm no pro sysadmin and don't appreciate having to rectify Microsoft's mistakes for them. (Unfortunately this market sector is mostly locked in to a Windows ecosystem now, more's the pity.)
Yep, our org had the same problem on Friday. I was the first to notice it / unlucky to get the definitions installed, so my laptop was used as the guinea pig. Thankfully I'd noticed that Defender had been popping up more notifications than usual, so we quickly isolated the problem, the offending rule was disabled, and I was then left with the task of fixing up my shortcuts. Sigh.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
