Connect with us

Tech

Microsoft Defender ASR Deletes Shortcuts To Windows Applications Due To a Bug

Published

on

Microsoft Defender ASR Deletes Shortcuts To Windows Applications Due To a Bug

(CTN News) – As a result of a bug in Microsoft Defender ASR rules, a false positive was triggered. This false positive deleted application shortcuts from the desktop, Start menu, and taskbar, making existing shortcuts unusable as they could not launch the linked apps.

Several managed devices were affected after an attack surface reduction (ASR) rule was triggered erroneously by Microsoft Defender for Endpoint.

This ASR rule (called “Block Win32 API calls from Office macros” in Configuration Manager and “Win32 imports from Office macro code” in Intune) should stop malware from calling Win32 APIs from VBA macros.

Microsoft Defender says malware can exploit this capability to launch malicious shellcode without writing anything directly to disk.

While most organizations use macros in other ways, they don’t call Win32 APIs in their day-to-day operations.”

Normally, this would lower the attack surface that threat actors could use to compromise devices protected by Microsoft Defender Antivirus, but a faulty Defender signature (1.381.2140.0) caused the ASR rule (Rule ID: 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b) to misbehave and trigger against users’ app shortcuts, tagging them as malicious.

ASR is deleting shortcuts belonging to both Microsoft and third-party apps, Windows admins report.

After we onboarded our estate to Defender for Endpoint, we’ve heard a few reports this morning that their program shortcuts (Chrome, Firefox, Outlook) have been missing after rebooting, which also happened to me,” one admin says.

I’ve had to push a policy update to set this rule into Audit mode instead of Block – as it’s trashing almost all 3rd party apps and even first party ones like Slack, Chrome, Outlook,” another confirmed.

Microsoft disabled the offending ASR rule and asked customers to check SI MO497128 in the admin center.

According to Microsoft’s latest admin center update, the reverted ASR rule needs several hours to propagate to all affected customers. Therefore, it’s wise to put it in Audit mode or fully disable it.

Despite reverting the offending ASR rule, Microsoft Defender says it could take several hours for the change to propagate throughout the environment.

You should put the offending ASR rule in Audit Mode and prevent further impact until the update is deployed.”

Putting the ASR rule in Audit Mode is easy:

  • Use Power shell: Add-Mp Preference -Attack Surface Reduction Rules Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -Attack Surface Reduction Rules Actions  Audit Mode

  • I’m using Intune

  • Group policy

The fourth option is to disable the rule with PowerShell:

Microsoft is advising customers to launch Office apps directly from the Office app or the Microsoft 365 app launcher until the issue is resolved.

Microsoft Office and other application shortcuts have been restored to the Start Menu with PowerShell scripts [1, 2]. It’s still a smart idea to test them before you use them.

When BleepingComputer contacted Microsoft earlier today, a spokesperson wasn’t available for comment.

Endpoint Microsoft Defender false positives pile up

In the last two years, Windows admins have dealt with multiple false positives from Microsoft Defender for Endpoint.

Defender for Endpoint warned about ransomware behavior on Windows endpoints almost a year ago and tagged Office updates as malicious.

A false positive in November 2021 tagged some Office documents as Emotet malware payloads, so Defender ATP blocked them from opening.

In December 2021, it mistakenly displayed “sensor tampering” alerts linked to Microsoft 365 Defender’s Log4j scanner.
Defender for Endpoint had shown false positives of Cobalt Strike and tagged Chrome updates as PHP backdoors.

SEE ALSO:

The Martian Meteorite Contains a Lot Of Organic Stuff

Continue Reading