Cannot create exception for .xlam file?

Tonito Dux 956 Reputation points
2022-09-29T10:50:15.61+00:00

Hi,

I am having issues creating an exception of a .xlam file. So far I have created exceptions in ASR Rules in Endpoint and when this did not help I was sure that Indicators were going to solve the issue - but here I am writing this now.

So the "PROVI 3_4.xlam" file produces this .bin temporarily:
C:\Users*\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A48FD58.tmp->xl/vbaProject.bin
(Please note that yes there is a space beetween empty space in the file name, this has been deployed to machines years ago).

And this is what the user sees when the block happens. Have in mind that "A48FD58.tmp" is the string that changes (and username but got that covered)
I do not understand this ->xl - what is this and how it should be blocked?

246000-asr02.jpg246091-asr.jpg
246101-asr03.jpg246102-asr04.jpg

Cheers!

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,776 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Tonito Dux 956 Reputation points
    2022-09-29T15:33:07.097+00:00

    I managed to solve it, there are two exceptions that need to be set in this case in order for the rule not to be triggered:

    C:\Program Files*\Addins\PROVI 3_4.xlam
    C:\Users*\AppData\Local\Microsoft\Windows\INetCache\Content.MSO*

    Cheers!

    0 comments No comments

  2. Limitless Technology 43,981 Reputation points
    2022-09-30T08:58:17.253+00:00

    Hello there,

    You can configure attack surface reduction rules on a per-rule basis by using any rule's GUID and then use the audit mode to test the rule.

    For example , this rule blocks Office apps from creating child processes. Office apps include Word, Excel, PowerPoint, OneNote, and Access.

    GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a

    If you are still facing issue you can submit the logs.

    Attack surface reduction (ASR) rules reference https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#asr-rules-supported-configuration-management-systems

    Troubleshoot attack surface reduction rules https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-asr?view=o365-worldwide

    -------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer--