Exclusions being added to ASR and then shortcuts being pushed back out... Appears to work in testing on a few PCs
Microsoft Defender ASR rules strip icons, app shortcuts from Taskbar, Start Menu
Techies are reporting that Microsoft Defender for Endpoint attack surface reduction (ASR) rules have gone haywire and are removing icons and applications shortcuts from the Taskbar and Start Menu. The problems were first noted early today, Friday 13th, by multiple IT folk and many seem to be scratching their head as to the …
COMMENTS
-
-
-
Friday 13th January 2023 15:05 GMT Naselus
Re: Have the same issue
For anything that's come in via MSIExec, scrape msi install guids and then foreach loop the list through msiexec /fs.
My (extremely quick and dirty) PS code is:
$list = get-wmiobject win32_product | select identifyingnumber
foreach ($thing in $list){
msiexec /fs $thing.identifyingnumber /q
start-sleep 10}
-
-
-
Saturday 14th January 2023 04:02 GMT Anonymous Coward
Re: uninstalling Microsoft Office as well
-> 'uninstalling Microsoft Office as well'
-> 'Finally, an antivirus software is doing its job and people are complaining?'
If only it followed this up by installing LibreOffice 7 then logged in, with user's MS account, and cancelled the Office 365 subscription too.
Better still if the next definition of MS Defender, nuked Windows completely, and installed Linux.
-
-
-
Friday 13th January 2023 21:36 GMT Snapper
Re: My Linux VM
Oh noes, the Mac guys are just opening the bags of pop-corn!
Go on, is this the year of Linux on the doorstep then?
Fuck me, when are you guys going to grow a pair and recognise Windows as a self-defeating construct!
Or do you just keep making money at 'supporting' it and sneering at everything else?
-
-
Friday 13th January 2023 14:11 GMT Steve Davies 3
It is long past time that MS were
sued into oblivion for acts like this.
How is this different from those ransomware infections that stop you from doing business? How many man/woman/person hours has it taken across the globe to remove their F*k ups eh?
rule 1: Add rule to block all MS owned IP addresses to firewall.
-
Friday 13th January 2023 16:38 GMT bss
Microsoft Strike again - ASR Rule
Had 2 hours this morning with Microsoft on this informing them they had a problem and they confirmed the problem at 2:40pm. It seems that early this morning, a security policy was updated with additional ability to change the file path for Microsoft products paths for greater security. You can spot this with regression score change in this area. Resulted in the same conditions as previously approx 3 months ago where you can log into web based services, but click to run are not available. I have informed our clients to continue to run web based applications rather than changing any ASR rule to monitor, which may cause more problems than it fixes. Changing the ASR to monitor on a Friday, leaving users and systems open over the weekend where you rely on Microsoft as a single vendor is a bad decision.
-
Friday 13th January 2023 19:05 GMT rizak
Re: Microsoft Strike again - ASR Rule
Had 2 hours trying figure out what has gone wrong, shortcuts disapered, start breaking security tool as vulnurability items
turns out to be ASR at the end, running not given the ability to even stop the services. unless rebooted with the ASR off.
ended up removing and reinstalling the Office suite again.
-
Monday 16th January 2023 07:37 GMT Anonymous Coward
Re: Microsoft Strike again - ASR Rule
This kind of attitude is the problem, not the cure. Security people reducing attack surface to the point that nobody can do any work is a real problem these days. Hopefully they'll be the first to go once the redundancies start.
Turning this off doesn't pose a risk at all. It's not catching issues, it's catching potential routes for someone to create an issue (that so far were never actually taken advantage of). If you go home, productivity at your business will go up.
-
-
Monday 16th January 2023 11:50 GMT Anonymous Coward
PITA
This is a right PITA as it has removed 3rd party shortcuts used to start data acquisition software on our machines. My users aren't software bods and don't appreciate having their work disrupted. I'm no pro sysadmin and don't appreciate having to rectify Microsoft's mistakes for them. (Unfortunately this market sector is mostly locked in to a Windows ecosystem now, more's the pity.)
-
Monday 16th January 2023 12:17 GMT deanb01
There's your problem, right there
Yep, our org had the same problem on Friday. I was the first to notice it / unlucky to get the definitions installed, so my laptop was used as the guinea pig. Thankfully I'd noticed that Defender had been popping up more notifications than usual, so we quickly isolated the problem, the offending rule was disabled, and I was then left with the task of fixing up my shortcuts. Sigh.