This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi,
I am having issues creating an exception of a .xlam file. So far I have created exceptions in ASR Rules in Endpoint and when this did not help I was sure that Indicators were going to solve the issue - but here I am writing this now.
So the "PROVI 3_4.xlam" file produces this .bin temporarily:
C:\Users*\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A48FD58.tmp->xl/vbaProject.bin
(Please note that yes there is a space beetween empty space in the file name, this has been deployed to machines years ago).
And this is what the user sees when the block happens. Have in mind that "A48FD58.tmp" is the string that changes (and username but got that covered)
I do not understand this ->xl - what is this and how it should be blocked?
Cheers!
I found that this works, but it is to broad: C:\Users*\AppData\Local\Microsoft\Windows\INetCache\Content.MSO*
Edit: tried to narrow it down but it does not work, the file is being blocked:
C:\Users*\AppData\Local\Microsoft\Windows\INetCache\Content.MSO*.tmp->xl/vbaProject.bin
C:\Users*\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\?.tmp->xl/vbaProject.bin
C:\Users*\AppData\Local\Microsoft\Windows\INetCache\Content.MSO*\vbaProject.bin
I managed to solve it, there are two exceptions that need to be set in this case in order for the rule not to be triggered:
C:\Program Files*\Addins\PROVI 3_4.xlam
C:\Users*\AppData\Local\Microsoft\Windows\INetCache\Content.MSO*
Cheers!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello there,
You can configure attack surface reduction rules on a per-rule basis by using any rule's GUID and then use the audit mode to test the rule.
For example , this rule blocks Office apps from creating child processes. Office apps include Word, Excel, PowerPoint, OneNote, and Access.
GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a
If you are still facing issue you can submit the logs.
Attack surface reduction (ASR) rules reference https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#asr-rules-supported-configuration-management-systems
Troubleshoot attack surface reduction rules https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-asr?view=o365-worldwide
-------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer--
Hi,
i still think the exception rule is to broad, should i contact the "free" MS support that I have in the O365 Portal? We use E3 with E5 Mobility + Security.
Cheers!