Handle buggy ASR rule

metablaster · Nov 28, 2023 · 1662eba · 1662eba
1 parent afd3790
commit 1662eba
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 5 deletions.
diff --git a/Scripts/Security/Deploy-ASR.ps1 b/Scripts/Security/Deploy-ASR.ps1
@@ -172,14 +172,14 @@ if ($PSCmdlet.ShouldProcess("Microsoft Defender Antivirus", "Deploy attack surfa
 	)
 
 	# Enabled, Disabled or AuditMode
-	$Actions = @(
+	[array] $Actions = @(
 		"Enabled"
 		"Enabled"
 		"Enabled"
 		"Enabled"
 		"Enabled"
 		# Disable for programs such as b2 from boost
-		# This will also block programs that you develop
+		# If enabled, this will also block programs that you develop
 		"Disabled"
 		"Enabled"
 		"Enabled"
@@ -188,13 +188,24 @@ if ($PSCmdlet.ShouldProcess("Microsoft Defender Antivirus", "Deploy attack surfa
 		"Enabled"
 		"Enabled"
 		"Enabled"
-		# BUG: https://www.bleepingcomputer.com/news/microsoft/buggy-microsoft-defender-asr-rule-deletes-windows-app-shortcuts
-		"Disabled"
+		"Enabled"
 		"Enabled"
 		# Disable for PS remoting
 		"Disabled"
 	)
 
+	# On January 13th, Windows Security and Microsoft Defender for Endpoint customers may have experienced a series
+	# of false positive detections after updating to security intelligence builds between 1.381.2134.0 and 1.381.2163.0.
+	# BUG: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/recovering-from-attack-surface-reduction-rule-shortcut-deletions/ba-p/3716011
+	[Version] $AntivirusSignatureVersion = Get-MpComputerStatus | Select-Object -ExpandProperty AntivirusSignatureVersion
+	if (($AntivirusSignatureVersion -ge "1.381.2134.0") -and ($AntivirusSignatureVersion -le "1.381.2163.0"))
+	{
+		$Actions.SetValue("Disabled", 13)
+
+		Write-Warning -Message "[$ThisScript] ASR rule 'Block Win32 API calls from Office macros' has been explicitly disabled due to a known bug"
+		Write-Information -MessageData "INFO: To enable this rule update your Windows Defender to intelligence build above 1.381.2163.0"
+	}
+
 	try
 	{
 		Set-MpPreference -AttackSurfaceReductionRules_Ids $Rules -CimSession $CimServer `

diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
@@ -44,7 +44,8 @@ Here is a list of changes for each of the releases.
 - Scripts
 
   - Updated README with GPO settings of interest not handled by security scripts
-  - `Set-ATP.ps1` script improved to handle more options and AV scans
+  - `Set-ATP.ps1` Script improved to handle more options and AV scans
+  - `Deploy-ASR.ps1` Now handles a known bug when "Block Win32 API calls from Office macros" is enabled
 
 ## v0.16.0 (current release)