Windows 10: Windows Defender: Attack Surface Reduction - No Events in EventLog for some blocked actions

Discus and support Windows Defender: Attack Surface Reduction - No Events in EventLog for some blocked actions in AntiVirus, Firewalls and System Security to solve the problem; I have some ASR rules activated set to Block for my clients, like "Block process creations originating from PSExec and WMI commands" or "Block... Discussion in 'AntiVirus, Firewalls and System Security' started by Steffen_Azure, Nov 24, 2022.

  1. Windows Defender: Attack Surface Reduction - No Events in EventLog for some blocked actions


    I have some ASR rules activated set to Block for my clients, like "Block process creations originating from PSExec and WMI commands" or "Block JavaScript or VBScript from launching downloaded executable content".While testing the rules it seems like, they work as intended but in the event viewer as explained here I only get an event ID 1021 for some blocked ASR Rules . For examplem, the "Block JavaScript or VBScript from launching downloaded executable content". I used a simple script js to test it:var xmlHttp = WScript.CreateObject"MSXML2.XMLHTTP";xmlHttp.open"GET", "https://w

    :)
     
    Steffen_Azure, Nov 24, 2022
    #1
  2. SE_GB Win User

    Windows Defender Device Guard: Attack Surface Reduction

    Dear community,

    I am experiencing a relatively strange behavior using Attack Surface Reduction from the Defender Device Guard.

    As recommended in the baseline security 1809, I did activate the recommended ASR rules; one of them being "Block untrusted and unsigned processes that run from USB" - elaborated

    here
    .

    I did create an unsigned application using Visual studio and C#. Runs fine on the build machine.

    Starting it from a USB drive, Defender Application Guard blocks the application (Code 1121, ID b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4). Intended and expected behavior.

    Copying the previously started (and blocked) application to the local disk and trying to start it from there, it gets blocked again. Not so expected behavior.

    Renaming this executable on the local disk to "xyz_.exe" it is not blocked. Renaming it to its once blocked at USB name, it gets blocked again.

    Does anybody have an idea, if the names of the blocked application are cached in some way or why this behavior occurs?

    Kind regards
     
    SE_GB, Nov 24, 2022
    #2
  3. CCleaner Update Triggers Attack Surface Reduction Rule

    The update to v5.75.8238, CCleaner64.exe triggers an Attack Surface Reduction rule:
    Block credential stealing from the Windows local security authority subsystem (lsass.exe)
    Rule GUID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2

    You won't notice it unless you happen to have ASR in place with Microsoft Defender for Endpoint.
    Here is the event log entry:

    Log Name: Microsoft-Windows-Windows Defender/Operational
    Source: Windows Defender
    Event ID 1121

    Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
    For more information please contact your IT administrator.
    ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
    Detection time: 2020-12-11T01:57:18.185Z
    User: XXXXXX-XXXXXX\xxxxxxxxxxx

    Path: C:\Windows\System32\lsass.exe
    Process Name: C:\Program Files\CCleaner\CCleaner64.exe
    Security intelligence Version: 1.329.181.0
    Engine Version: 1.1.17700.4
    Product Version: 4.18.2011.6

    A similar message shows up in the GUI also containing:
    "Block credential stealing from the Windows local security authority subsystem (lsass.exe)"
     
    mjohnsonn2, Nov 24, 2022
    #3
  4. NMI
    NMI Win User

    Windows Defender: Attack Surface Reduction - No Events in EventLog for some blocked actions

    Microsoft Defender will soon block Windows password theft

    This bit from that link is simple and benign:

     
Thema:

Windows Defender: Attack Surface Reduction - No Events in EventLog for some blocked actions

Loading...
  1. Windows Defender: Attack Surface Reduction - No Events in EventLog for some blocked actions - Similar Threads - Defender Attack Surface

  2. Windows defender blocks the actions of windows processes

    in Windows 10 Gaming
    Windows defender blocks the actions of windows processes: Hi everyone,I have activated controlled folder access and it often sends me a notification that "The administrator has blocked the action". But what is strange to me is that some windows processes such as wuauclt.exe and svchost.exe are blocked. So I was wondering if it was a...
  3. Windows defender blocks the actions of windows processes

    in Windows 10 Software and Apps
    Windows defender blocks the actions of windows processes: Hi everyone,I have activated controlled folder access and it often sends me a notification that "The administrator has blocked the action". But what is strange to me is that some windows processes such as wuauclt.exe and svchost.exe are blocked. So I was wondering if it was a...
  4. Does Microsoft Defender Exploit Guard Attack Surface Reduction Rules ASR still function...

    in AntiVirus, Firewalls and System Security
    Does Microsoft Defender Exploit Guard Attack Surface Reduction Rules ASR still function...: Or is it redundant? If not, it would be nice if this was an option to ensure enhanced security. https://answers.microsoft.com/en-us/protect/forum/all/does-microsoft-defender-exploit-guard-attack/816b13d2-5f7b-4c9a-9065-d95f4acbb1aa
  5. Actions being blocked

    in AntiVirus, Firewalls and System Security
    Actions being blocked: I been getting notifications of Blocked access. I thought this was protecting my computer but now it's not letting me complete a Restart. It says administrator has blocked access through the Controlled folder access of the Windows Security Ransomeware Protection. Should I...
  6. CCleaner Update Triggers Attack Surface Reduction Rule

    in Windows 10 Software and Apps
    CCleaner Update Triggers Attack Surface Reduction Rule: The update to v5.75.8238, CCleaner64.exe triggers an Attack Surface Reduction rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe) Rule GUID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 You won't notice it unless you happen to have ASR in...
  7. EventLog

    in Windows 10 Ask Insider
    EventLog: Hello, I recently saw that EventLog service is always working and taking 1-2% cpu load, I know that 1-2 percent is nothing, but I never saw this proccess taking more than 0%, seems like bug. submitted by /u/_MeetYourMaker_ [link] [comments]...
  8. Windows Defender Device Guard: Attack Surface Reduction

    in AntiVirus, Firewalls and System Security
    Windows Defender Device Guard: Attack Surface Reduction: Dear community, I am experiencing a relatively strange behavior using Attack Surface Reduction from the Defender Device Guard. As recommended in the baseline security 1809, I did activate the recommended ASR rules; one of them being "Block untrusted and unsigned processes...
  9. Windows Defender Firewall default block action not intuitive

    in Windows 10 Gaming
    Windows Defender Firewall default block action not intuitive: Can someone please help me understand why the default action for Windows Defender Firewall is to allow "Public networks, such as those in airports and coffee shops (not recommended) because these networks often have little or no security". Everytime this message comes up I...
  10. Norton keeps blocking an attack

    in AntiVirus, Firewalls and System Security
    Norton keeps blocking an attack: My Norton product keeps blocking an attack. Due to the blocked attack, I cannot search in Microsoft Edge. Below are the screenshots: [img] 114050