[Solved] Troubleshoot attack surface reduction rules (Microsoft) - BEST Antivirus KBS : Largest Anti-Malware Knowlegde Base and Support

When you use attack surface reduction rules you may run into issues, such as:

A rule blocks a file, process, or performs some other action that it shouldn’t (false positive)
A rule doesn’t work as described, or doesn’t block a file or process that it should (false negative)

There are four steps to troubleshooting these problems:

Confirm prerequisites
Use audit mode to test the rule
Add exclusions for the specified rule (for false positives)
Submit support logs

Confirm prerequisites

Attack surface reduction rules will only work on devices with the following conditions:

Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update).
Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. Using any other antivirus app will cause Microsoft Defender Antivirus to disable itself.
Real-time protection is enabled.
Audit mode isn’t enabled. Use Group Policy to set the rule to Disabled (value: 0) as described in Enable attack surface reduction rules.

If these prerequisites have all been met, proceed to the next step to test the rule in audit mode.

Use audit mode to test the rule

You can visit the Windows Defender Test ground website at demo.wd.microsoft.com to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only.

Follow these instructions in Use the demo tool to see how attack surface reduction rules work to test the specific rule you’re encountering problems with.

Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to Audit mode (value: 2) as described in Enable attack surface reduction rules. Audit mode allows the rule to report the file or process, but will still allow it to run.
Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed).
Review the attack surface reduction rule event logs to see if the rule would have blocked the file or process if the rule had been set to Enabled.

If a rule isn’t blocking a file or process that you’re expecting it should block, first check if audit mode is enabled.

Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed.

If you’ve tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule isn’t working as expected, proceed to either of the following sections based on your situation:

If the attack surface reduction rule is blocking something that it shouldn’t block (also known as a false positive), you can first add an attack surface reduction rule exclusion.
If the attack surface reduction rule isn’t blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, collecting diagnostic data and submitting the issue to us.

Add exclusions for a false positive

If the attack surface reduction rule is blocking something that it shouldn’t block (also known as a false positive), you can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders.

To add an exclusion, see Customize Attack surface reduction.

Important

You can specify individual files and folders to be excluded, but you cannot specify individual rules. This means any files or folders that are excluded will be excluded from all ASR rules.

Report a false positive or false negative

Use the Windows Defender Security Intelligence web-based submission form to report a false negative or false positive for network protection. With a Windows E5 subscription, you can also provide a link to any associated alert.

Collect diagnostic data for file submissions

When you report a problem with attack surface reduction rules, you’re asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.

Open an elevated command prompt and change to the Windows Defender directory:
Console
```
cd "c:\program files\windows defender"
```
Run this command to generate the diagnostic logs:
Console
```
mpcmdrun -getfiles
```
By default, they’re saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

(Visited 5 times, 1 visits today)

Troubleshoot attack surface reduction rules (Microsoft)

Confirm prerequisites

Use audit mode to test the rule

Add exclusions for a false positive

Report a false positive or false negative

Collect diagnostic data for file submissions

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

About

Partners

Resources

Confirm prerequisites

Use audit mode to test the rule

Add exclusions for a false positive

Report a false positive or false negative

Collect diagnostic data for file submissions

Source : Official Microsoft Brand Editor by : BEST Antivirus KBS Team

Related Articles

All about Microsoft

Microsoft Defender for Business (preview) troubleshooting

Support and troubleshooting Microsoft Defender for Cloud Apps

Troubleshooting – What is *.cas.ms, *.mcas.ms, or *.mcas-gov.us? (Microsoft)

Troubleshooting access and session controls (Microsoft)

Troubleshooting the SIEM agent (Microsoft)

About

Partners

Resources

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

Troubleshooting – What is .cas.ms, .mcas.ms, or *.mcas-gov.us? (Microsoft)