Microsoft addressed the false positive caused by the buggy Microsoft Defender ASR Rule. This rule would remove application shortcuts from desktops, Start menus, and taskbars. In some cases it could render shortcuts inaccessible as they can’t be used for launch of linked apps.
After the Microsoft Defender for Endpoint rule for attack surface reduction (ASR), was incorrectly activated, this issue affected all app shortcuts on boarded devices.
This ASR rule, also known as “Block Win32 API Calls From Office Macro” in Configuration Manager or “Win32 Imports From Office Macros Code” in Intune, should stop malware using VBA macros for Win32 APIs.
Microsoft that malware can take advantage of this ability, including calling Win32 APIs in order to execute malicious shellcode.
“Most companies don’t depend on being able to call Win32 APIs for their day-today operations, even though they may use macros other than Win32.”
While normally, this would help reduce the attack surface threat actors could use to compromise devices protected by Microsoft Defender Antivirus, a bad Defender signature (1.381.2140.0) caused the ASR rule (Rule ID: 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b) to misbehave and trigger against users’ app shortcuts, falsely tagging them as malicious.
Windows administrators are reporting that shortcuts from third-party and Microsoft apps can be deleted by the ASR rule.
One admin stated that “we’ve just onboarded our estate with Defender for Endpoint” and reported to us this morning that the program shortcuts for Chrome, Firefox, Outlook disappeared after a reboot of their machines.
We’re experiencing exactly the same problem. “We’re seeing exactly the same issue. I had to push an update for this policy to change it to Audit mode rather than Block. It’s trashing nearly all third party apps, even first ones, as you have also stated – Outlook, Slack and Chrome. Another .
Microsoft removed the infringing ASR rule from its website and asked users to visit SI MO497128 within the admin centre for further updates.
A specific rule caused us to notice an increase in the impact of our investigation. To prevent any further damage, we have reverted this rule while further investigation is underway. Please refer to the SI MO497128 at your admin center for more details.
— Microsoft 365 Status @MSFT365Status
Microsoft advised that the ASR Rule Reverted needs to be propagated to affected customers within several hours.
Microsoft stated that they had reverted the ASR rule inflicting offense, but this change was spreading throughout the environment, and may take many hours.
We recommend you to take immediate action to put the ASR Rule in Audit Mode, so that it does not have any further effect until the deployment of the update is complete.
One of these methods can be used to convert the ASR rule into Audit Mode:
- Using Powershell: Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions AuditMode
You can also set the rule to disable mode by using this Powershell command
Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions Disabled
Microsoft recommended that customers use the to launch Office apps until the problem is resolved.
Administrators have developed PowerShell scripts (HT0_ 1 and ) that restore Microsoft Office shortcuts from the Start Menu. These scripts should be checked before they are released to production.
Windows administrators have been faced with numerous false positives from Microsoft Defender for Endpoint over the past two years.
A wave of Defender For Endpoint alerts almost a year back tagged Office Updates as malignant in warnings pointing out on Windows endpoints.
Defender ATP blocked Office documents from opening and launching in November 2021, due to another false negative .
A month later in December 2021 displayed the “sensor tampering” alerts that were linked to Log4j’s .
Similar Defender for Endpoint false negative issues showed . They were also tagged .