Create an ASR Rules Exclusion

      No Comments on Create an ASR Rules Exclusion

In this blogpost I’m going to explain how you create an ASR Rules Exclusion. Yesterday I was trying to install DaVinci Resolve on my Intune managed Windows 11 laptop, At first I didn’t notice the popup at the lower right and thought it had something to do with the file location or because the file was downloaded from the internet causing it to be blocked. So I tried moving it around to different locations on my device and unblocking it until I noticed the “Action blocked” popup when I tried to install on a different device.

 

The Cause

First I needed to figure out why this action was blocked. There are several ways to identify the cause:

  • Windows Security
  • Windows Eventlog
  • Microsoft Defender ATP
  • Microsoft Defender Report

 

Windows Security

In Windows Security and selected “Protection history”

Check and if needed clear active filters to see the recent events.

The installation was blocked because of the ASR rule “Block executable files from running unless they meet a prevalence, age, or trusted list criterion”

Windows Eventlog

In the windows eventlog on the device go to Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational. There you will find you will find the same information except for the ASR Rule Name. Only the GUID is being displayed 01443614-cd74-433a-b99e-2ecdc07bfc25 using this ASR Rule to GUID matrix you can find the rule name which is “Block executable files from running unless they meet a prevalence, age, or trusted list criterion”

Microsoft Defender ATP

If your devices are onboarded into Microsoft Defender ATP you can use the “Advanced hunting”. You will need to browse to https://security.microsoft.com/ and select Advanced hunting (1). Select a custom time range to limit the results (2). Enter the query (3)

DeviceEvents
| where ActionType startswith 'Asr'

Press “Run Query” (4) to view the results

The query will display all ASR related events and details.

Microsoft Defender Report

If your devices are onboarded into Microsoft Defender ATP you can use the “Attack surface reduction rules” report. You will need to browse to https://security.microsoft.com/ and select Reports (1). In the reports view select Attack surface reduction rules (2).

In the “Detections” blade select Filters Rules: All and the correct Date to limit the results. I noticed it sometimes takes up to an hour to display the results, so you need to be patient.

Add an Exclusion

Now we will need to exclude the exe, unfortunately it’s not possible to exclude a SHA or MD5 hash so we will need to copy the path of the exe which needs to be excluded. But there wildcards available which you can use to exclude files. For example you can use the asterisk (*) to replace multiple characters or the question mark (?) to replace a single character. In this example I will not use wildcards and use the full path: “D:\DaVinci_Resolve_19.0.3_Windows\DaVinci_Resolve_19.0.3_Windows.exe”.

If you’re using the Microsoft Defender Attack Surfaces reduction rules report you can browse to the “Add exclusions” (1) blade and search (2) and select (3)the file name you want to exclude, then select “Get selected exclusion paths” (4)

A CSV file with all Exclusionpaths will be downloaded. As you may notice, there multiple locations for the same exe file here. That’s because I tried to run it from multiple locations.

Now you only need to press “Add exclusions”.

This will open the Intune admin center in a new window in the Attack Surface Reduction (ASR) view.

Now you will need to open the ASR policy you configured and add the exclusions for the correct rule. In this case I will add the Exclusions to the “Block executable files from running unless they meet a prevalence, age, or trusted list criterion” rule. You need to enter each path to a separate rule. (Do not copy/paste the CSV to one rule!)

Save the policy

Sync and test the policy

Now you will need to sync the updated policy to the device and test if it’s working. You can use powershell to check if the policy has been applied. This can be done using the command “get-mppreference”. You will notice that exclusions will be added to the “AttackSurfaceReductionRules_RuleSpecificExclusions.

As soon as the rules have been applied you should be able to execute the executable.

Feel free to ask any questions or share your thoughts about this blog in the comments section!

Leave a Reply

Your email address will not be published. Required fields are marked *