Windows 10: Windows Defender: Attack Surface Reduction - No Events in EventLog for some blocked actions

Discus and support Windows Defender: Attack Surface Reduction - No Events in EventLog for some blocked actions in AntiVirus, Firewalls and System Security to solve the problem; I have some ASR rules activated set to Block for my clients, like "Block process creations originating from PSExec and WMI commands" or "Block... Discussion in 'AntiVirus, Firewalls and System Security' started by Steffen_Azure, Nov 24, 2022.

  1. STEFFEN_AZURE
    Steffen_Azure Win User

    Windows Defender: Attack Surface Reduction - No Events in EventLog for some blocked actions


    I have some ASR rules activated set to Block for my clients, like "Block process creations originating from PSExec and WMI commands" or "Block JavaScript or VBScript from launching downloaded executable content".While testing the rules it seems like, they work as intended but in the event viewer as explained here I only get an event ID 1021 for some blocked ASR Rules . For examplem, the "Block JavaScript or VBScript from launching downloaded executable content". I used a simple script js to test it:var xmlHttp = WScript.CreateObject"MSXML2.XMLHTTP";xmlHttp.open"GET", "https://w

    :)
     
    Steffen_Azure, Nov 24, 2022
    #1
  2. SE_GB
    SE_GB Win User

    Windows Defender Device Guard: Attack Surface Reduction

    Dear community,

    I am experiencing a relatively strange behavior using Attack Surface Reduction from the Defender Device Guard.

    As recommended in the baseline security 1809, I did activate the recommended ASR rules; one of them being "Block untrusted and unsigned processes that run from USB" - elaborated

    here    .

    I did create an unsigned application using Visual studio and C#. Runs fine on the build machine.

    Starting it from a USB drive, Defender Application Guard blocks the application (Code 1121, ID b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4). Intended and expected behavior.

    Copying the previously started (and blocked) application to the local disk and trying to start it from there, it gets blocked again. Not so expected behavior.

    Renaming this executable on the local disk to "xyz_.exe" it is not blocked. Renaming it to its once blocked at USB name, it gets blocked again.

    Does anybody have an idea, if the names of the blocked application are cached in some way or why this behavior occurs?

    Kind regards
     
    SE_GB, Nov 24, 2022
    #2
  3. MJOHNSONN2
    mjohnsonn2 Win User
    CCleaner Update Triggers Attack Surface Reduction Rule

    The update to v5.75.8238, CCleaner64.exe triggers an Attack Surface Reduction rule:
    Block credential stealing from the Windows local security authority subsystem (lsass.exe)
    Rule GUID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2

    You won't notice it unless you happen to have ASR in place with Microsoft Defender for Endpoint.
    Here is the event log entry:

    Log Name: Microsoft-Windows-Windows Defender/Operational
    Source: Windows Defender
    Event ID 1121

    Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
    For more information please contact your IT administrator.
    ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
    Detection time: 2020-12-11T01:57:18.185Z
    User: XXXXXX-XXXXXX\xxxxxxxxxxx

    Path: C:\Windows\System32\lsass.exe
    Process Name: C:\Program Files\CCleaner\CCleaner64.exe
    Security intelligence Version: 1.329.181.0
    Engine Version: 1.1.17700.4
    Product Version: 4.18.2011.6

    A similar message shows up in the GUI also containing:
    "Block credential stealing from the Windows local security authority subsystem (lsass.exe)"
     
    mjohnsonn2, Nov 24, 2022
    #3
  4. NMI
    NMI Win User

    Windows Defender: Attack Surface Reduction - No Events in EventLog for some blocked actions

    Microsoft Defender will soon block Windows password theft

    This bit from that link is simple and benign:

     
    NMI, Nov 24, 2022
    #4
Thema:

Windows Defender: Attack Surface Reduction - No Events in EventLog for some blocked actions

Loading...

  1. Windows Defender: Attack Surface Reduction - No Events in EventLog for some blocked actions - Similar Threads - Defender Attack Surface

  2. 4 reoccurring event logs leading into windows 11 crashing. volmgr, Eventlog, EventLog, Tcpip

    in Windows 10 Gaming
    4 reoccurring event logs leading into windows 11 crashing. volmgr, Eventlog, EventLog, Tcpip: Hello, I am working on my friends computer because he is having a random BSOD. I was able to look in event viewer and notice that 4 error events are created int the time before the BSOD. I have since tried looking to C:\Windows\Minidump for log files but could not locate...

  3. Attack Surface Reduction

    in Windows 10 Software and Apps
    Attack Surface Reduction: Windows security keeps blocking some of my scheduled tasks. When I look in the protection log it says This is on a home system that no one else uses https://answers.microsoft.com/en-us/windows/forum/all/attack-surface-reduction/caa697e3-9df7-479e-b477-f27172b5efe5

  4. Attack Surface Reduction

    in Windows 10 Gaming
    Attack Surface Reduction: Windows security keeps blocking some of my scheduled tasks. When I look in the protection log it says This is on a home system that no one else uses https://answers.microsoft.com/en-us/windows/forum/all/attack-surface-reduction/caa697e3-9df7-479e-b477-f27172b5efe5

  5. Windows defender blocks the actions of windows processes

    in Windows 10 Gaming
    Windows defender blocks the actions of windows processes: Hi everyone,I have activated controlled folder access and it often sends me a notification that "The administrator has blocked the action". But what is strange to me is that some windows processes such as wuauclt.exe and svchost.exe are blocked. So I was wondering if it was a...

  6. Windows defender blocks the actions of windows processes

    in Windows 10 Software and Apps
    Windows defender blocks the actions of windows processes: Hi everyone,I have activated controlled folder access and it often sends me a notification that "The administrator has blocked the action". But what is strange to me is that some windows processes such as wuauclt.exe and svchost.exe are blocked. So I was wondering if it was a...

  7. Does Microsoft Defender Exploit Guard Attack Surface Reduction Rules ASR still function...

    in AntiVirus, Firewalls and System Security
    Does Microsoft Defender Exploit Guard Attack Surface Reduction Rules ASR still function...: Or is it redundant? If not, it would be nice if this was an option to ensure enhanced security. https://answers.microsoft.com/en-us/protect/forum/all/does-microsoft-defender-exploit-guard-attack/816b13d2-5f7b-4c9a-9065-d95f4acbb1aa

  8. CCleaner Update Triggers Attack Surface Reduction Rule

    in Windows 10 Software and Apps
    CCleaner Update Triggers Attack Surface Reduction Rule: The update to v5.75.8238, CCleaner64.exe triggers an Attack Surface Reduction rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe) Rule GUID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 You won't notice it unless you happen to have ASR in...

  9. Windows Defender Device Guard: Attack Surface Reduction

    in AntiVirus, Firewalls and System Security
    Windows Defender Device Guard: Attack Surface Reduction: Dear community, I am experiencing a relatively strange behavior using Attack Surface Reduction from the Defender Device Guard. As recommended in the baseline security 1809, I did activate the recommended ASR rules; one of them being "Block untrusted and unsigned processes...

  10. Windows Defender Firewall default block action not intuitive

    in Windows 10 Gaming
    Windows Defender Firewall default block action not intuitive: Can someone please help me understand why the default action for Windows Defender Firewall is to allow "Public networks, such as those in airports and coffee shops (not recommended) because these networks often have little or no security". Everytime this message comes up I...