Windows 10: CCleaner Update Triggers Attack Surface Reduction Rule

The update to v5.75.8238, CCleaner64.exe triggers an Attack Surface Reduction rule:
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Rule GUID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2

You won't notice it unless you happen to have ASR in place with Microsoft Defender for Endpoint.
Here is the event log entry:

Log Name: Microsoft-Windows-Windows Defender/Operational
Source: Windows Defender
Event ID 1121

Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
Detection time: 2020-12-11T01:57:18.185Z
User: XXXXXX-XXXXXX\xxxxxxxxxxx

Path: C:\Windows\System32\lsass.exe
Process Name: C:\Program Files\CCleaner\CCleaner64.exe
Security intelligence Version: 1.329.181.0
Engine Version: 1.1.17700.4
Product Version: 4.18.2011.6

A similar message shows up in the GUI also containing:
"Block credential stealing from the Windows local security authority subsystem (lsass.exe)"

:)

 

Windows Defender Device Guard: Attack Surface Reduction

Dear community,

I am experiencing a relatively strange behavior using Attack Surface Reduction from the Defender Device Guard.

As recommended in the baseline security 1809, I did activate the recommended ASR rules; one of them being "Block untrusted and unsigned processes that run from USB" - elaborated

here.

I did create an unsigned application using Visual studio and C#. Runs fine on the build machine.

Starting it from a USB drive, Defender Application Guard blocks the application (Code 1121, ID b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4). Intended and expected behavior.

Copying the previously started (and blocked) application to the local disk and trying to start it from there, it gets blocked again. Not so expected behavior.

Renaming this executable on the local disk to "xyz_.exe" it is not blocked. Renaming it to its once blocked at USB name, it gets blocked again.

Does anybody have an idea, if the names of the blocked application are cached in some way or why this behavior occurs?

Kind regards

 

WD ASR : Block executable files from running unless they meet a prevalence, age, or trusted list criteria.

These forums are for consumers, so your question about an Attack Surface Reduction rule that's typically managed via Windows Defender Advanced Threat Protection (Windows Defender ATP) is out of scope here. You should be asking this in the appropriate TechNet
forums related to that product.

That said, I assume you found the following document that provides what little information seems to exist in the public domain? I assume you'd need to know how to manage the prevalence, age, trusted list or exclusion list items within either WD ATP or enterprise
policies in order to configure them for the rule to work.

Rob

Use attack surface reduction rules to prevent malware infection Microsoft
Docs

Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria


This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list:

• Executable files (such as .exe, .dll, or .scr)

Note

You must
enable cloud-delivered protection to use this rule.

 

Latest CCleaner Version Released


@Brink

New Update for CCleaner




Tuesday, February 13, 2018 CCleaner v5.40




The Piriform team would like to announce the latest release of CCleaner for Windows.
This update adds more cleaning for Edge and a screen where you can review your subscription status. Additionally, the Avast offer in the CCleaner installer is no longer shown if you have previously declined it.
If you have suggestions for what you'd like to see next in CCleaner, please drop by our forums and let us know in our suggestions area.
Browser Cleaning

• Edge: Added new 'Set aside tabs' cleaning rule

Windows Cleaning

• Added warning for 'Old prefetch data' cleaning rule

General

• Minor user interface improvements
• Minor bug fixes