Windows 10: Attack Surface Reduction

Discus and support Attack Surface Reduction in Windows 10 Gaming to solve the problem; Windows security keeps blocking some of my scheduled tasks. When I look in the protection log it says This is on a home system that no one else uses... Discussion in 'Windows 10 Gaming' started by Other_side, Aug 13, 2023.

  1. OTHER_SIDE
    Other_side Win User

    Attack Surface Reduction


    Windows security keeps blocking some of my scheduled tasks. When I look in the protection log it says This is on a home system that no one else uses

    :)
     
    Other_side, Aug 13, 2023
    #1
  2. SE_GB
    SE_GB Win User

    Windows Defender Device Guard: Attack Surface Reduction

    Dear community,

    I am experiencing a relatively strange behavior using Attack Surface Reduction from the Defender Device Guard.

    As recommended in the baseline security 1809, I did activate the recommended ASR rules; one of them being "Block untrusted and unsigned processes that run from USB" - elaborated

    here    .

    I did create an unsigned application using Visual studio and C#. Runs fine on the build machine.

    Starting it from a USB drive, Defender Application Guard blocks the application (Code 1121, ID b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4). Intended and expected behavior.

    Copying the previously started (and blocked) application to the local disk and trying to start it from there, it gets blocked again. Not so expected behavior.

    Renaming this executable on the local disk to "xyz_.exe" it is not blocked. Renaming it to its once blocked at USB name, it gets blocked again.

    Does anybody have an idea, if the names of the blocked application are cached in some way or why this behavior occurs?

    Kind regards
     
    SE_GB, Aug 13, 2023
    #2
  3. MJOHNSONN2
    mjohnsonn2 Win User
    CCleaner Update Triggers Attack Surface Reduction Rule

    The update to v5.75.8238, CCleaner64.exe triggers an Attack Surface Reduction rule:
    Block credential stealing from the Windows local security authority subsystem (lsass.exe)
    Rule GUID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2

    You won't notice it unless you happen to have ASR in place with Microsoft Defender for Endpoint.
    Here is the event log entry:

    Log Name: Microsoft-Windows-Windows Defender/Operational
    Source: Windows Defender
    Event ID 1121

    Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
    For more information please contact your IT administrator.
    ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
    Detection time: 2020-12-11T01:57:18.185Z
    User: XXXXXX-XXXXXX\xxxxxxxxxxx

    Path: C:\Windows\System32\lsass.exe
    Process Name: C:\Program Files\CCleaner\CCleaner64.exe
    Security intelligence Version: 1.329.181.0
    Engine Version: 1.1.17700.4
    Product Version: 4.18.2011.6

    A similar message shows up in the GUI also containing:
    "Block credential stealing from the Windows local security authority subsystem (lsass.exe)"
     
    mjohnsonn2, Aug 13, 2023
    #3
  4. JABURMESTER
    jaburmester Win User

    Attack Surface Reduction

    Problem updating Windows Surface Pro 4 with Windows 10 feature updates

    Hi,

    I have manage to install image for Microsoft Surface Pro 4 by going to https://support.microsoft.com/en-us/...erecoveryimage and download a recovery image for Microsoft Surface Pro 4.

    What I did to reset your Surface from a USB recovery drive was:
    Step 1: Make sure your Surface is turned off and plugged in (hold down the power
    button for 30 seconds).
    Step 2: Insert the USB recovery drive into the USB port on your Surface.
    Step 3: Press and hold the volume-down button while you press and release the
    power button on your Surface.
    Step 4: When the Surface logo appears, release the volume button.
    Step 5: When prompted, select the language and keyboard layout you want.
    Step 6: Select Troubleshoot > Reset your PC.
    If prompted for a recovery key, select Skip this drive at the bottom of the
    screen.
    Step 7: Select the target operating system you wish to reset. This
    refers to the current operating system installed on your Surface.
    Step 8: Select Yes, repartition the drives, and on the next page, select Next.
    Step 9: Choose Just remove my files.
    Step 10: Select Reset.
    Surface restarts and the Surface logo displays while the reset process continues
    (this can take a while).

    This always fails and I have to do the below which continues installation.
    Windows 10 Installation Media:

    1. Insert the Media (DVD/USB) in your PC and restart.
    2. Boot from the media.
    3. Select Repair Your Computer.
    Select Troubleshoot.

    1. Choose Command Prompt from the menu:
    Type in the command:
    Diskpart
    Type in the command:
    List disk (Note which disk is your Boot drive number mine is 0)
    Type in the command:
    Sel disk 0
    Type in the command:
    List vol (Note which volume is the EFI partition mine is 4)
    Type in the command:
    Sel vol 4
    Type in the command:
    assign letter=V:
    Type in the command:
    Exit
    Type in the command:
    V:
    After you have assigned a drive letter Using Diskpart You can format the EFI partition:
    Example: if you assigned a letter V to the partition the command would be:
    format V: /FS:FAT32
    Type in the command:
    bcdboot C:\windows /s V: /f UEFI


    Now I have an issue that I cannot install Feature Updates. They keep failing to install.
    Any ideas how to resolve issue?
     
    jaburmester, Aug 13, 2023
    #4
Thema:

Attack Surface Reduction

Loading...

  1. Attack Surface Reduction - Similar Threads - Attack Surface Reduction

  2. LSA protection and attack surface rules

    in Windows 10 Gaming
    LSA protection and attack surface rules: Hi,We are implemting defender ssecurity.After putting ASR in audit we start to follow the recommandations.After son time we see the ASR rule "Block credential stealing from the Windows local security authority subsystem lsass.exe" is not applicable.After a long search I found...

  3. LSA protection and attack surface rules

    in Windows 10 Software and Apps
    LSA protection and attack surface rules: Hi,We are implemting defender ssecurity.After putting ASR in audit we start to follow the recommandations.After son time we see the ASR rule "Block credential stealing from the Windows local security authority subsystem lsass.exe" is not applicable.After a long search I found...

  4. Attack Surface Reduction

    in Windows 10 Software and Apps
    Attack Surface Reduction: Windows security keeps blocking some of my scheduled tasks. When I look in the protection log it says This is on a home system that no one else uses https://answers.microsoft.com/en-us/windows/forum/all/attack-surface-reduction/caa697e3-9df7-479e-b477-f27172b5efe5

  5. Windows Defender: Attack Surface Reduction - No Events in EventLog for some blocked actions

    in AntiVirus, Firewalls and System Security
    Windows Defender: Attack Surface Reduction - No Events in EventLog for some blocked actions: I have some ASR rules activated set to Block for my clients, like "Block process creations originating from PSExec and WMI commands" or "Block JavaScript or VBScript from launching downloaded executable content".While testing the rules it seems like, they work as intended but...

  6. Does Microsoft Defender Exploit Guard Attack Surface Reduction Rules ASR still function...

    in AntiVirus, Firewalls and System Security
    Does Microsoft Defender Exploit Guard Attack Surface Reduction Rules ASR still function...: Or is it redundant? If not, it would be nice if this was an option to ensure enhanced security. https://answers.microsoft.com/en-us/protect/forum/all/does-microsoft-defender-exploit-guard-attack/816b13d2-5f7b-4c9a-9065-d95f4acbb1aa

  7. Reduction is service

    in Windows 10 Gaming
    Reduction is service: Windows 11’s losing track of time and not displaying seconds more than a quarter of a century after people began depending on Windows 95 to set their clocks seems like a weird dream....

  8. CCleaner Update Triggers Attack Surface Reduction Rule

    in Windows 10 Software and Apps
    CCleaner Update Triggers Attack Surface Reduction Rule: The update to v5.75.8238, CCleaner64.exe triggers an Attack Surface Reduction rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe) Rule GUID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 You won't notice it unless you happen to have ASR in...

  9. Screen reduction

    in Windows 10 Customization
    Screen reduction: I am unable to reduce windows screen on my Surface Book 3. I am able to exit and minimize though https://answers.microsoft.com/en-us/windows/forum/all/screen-reduction/d5000022-8e75-4a78-8f00-915b5554a5bd

  10. Windows Defender Device Guard: Attack Surface Reduction

    in AntiVirus, Firewalls and System Security
    Windows Defender Device Guard: Attack Surface Reduction: Dear community, I am experiencing a relatively strange behavior using Attack Surface Reduction from the Defender Device Guard. As recommended in the baseline security 1809, I did activate the recommended ASR rules; one of them being "Block untrusted and unsigned processes...