503 questions
Try removing the * after factset\ . Check if the exclusions are actually applying on the machine. Get-mpprefence run with admin privileges should get you the list.
office application creating child process exclusion ASR
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 11%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGA%3C/text%3E%3C/svg%3E)
Guillaume AMGAR
6
Reputation points
hi
we activated in block mode after audit the ASR rule "Block all office application from creating child process"
But exclusions does not seems to work (for testing)
In deed we work with Factset software that add a plugin in Excel that inject data in Excel but they are all blocked
Even excel does not open when launching the Factset plugin
Factset is well know legitimate software its so strange that MS does not have a whitelist but anyway, exclusion are not working at all
thanks for, your help
Microsoft Security | Intune | Security
Microsoft Security | Intune | Configuration
2,095 questions
2 answers
Sort by: Most helpful
-
Rahul Jindal [MVP] 10,911 Reputation points MVP2023-02-18T06:08:34.8166667+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Crystal-MSFT 53,991 Reputation points Microsoft External Staff2023-02-20T01:43:46.0666667+00:00 @Guillaume AMGAR, Thanks for posting in Q&A.
Based on my research, it seems the asterisk replaces a single folder. For our situation, I think we can change the value to C:\Program Files (x86)\Factset*.exe. Here is a link with more details for your reference:
Meanwhile, I notice per-rule exclusions cannot be added to the existing policy. As it is currently implemented, in order to configure per-rule exclusions, you must create a new policy in MEM to replace the existing policy. Please create a new policy with the new setting value to see if it works:
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
-
Guillaume AMGAR 6 Reputation points
2023-02-20T09:32:12.8233333+00:00 hi
thanks
sorry i do not understand what MS mean for the per rule exclusions .. i need to create a dedicated policy for the "Block all office application from creating child process" only with the exclusion?
-
Crystal-MSFT 53,991 Reputation points Microsoft External Staff
2023-02-21T01:52:16.87+00:00 @Guillaume AMGAR, Thanks for the reply.
Based on my understanding, if the previoud policy does not include the exclustion, we need to create a same policy as the previous one and add the exlcusion. If the previous policy already include the exclusion, maybe we can change it directly.
-
Guillaume AMGAR 6 Reputation points
2023-02-21T16:30:37.6533333+00:00 thanks, i ll check also with the support, ill keep you updated
for now i m using global ASR exclusion which are working
-
Crystal-MSFT 53,991 Reputation points Microsoft External Staff
2023-02-22T01:52:50.28+00:00 @Guillaume AMGAR, Thanks for letting us know the status. If there's any more update, feel free to let us know.
Have a nice day!
Sign in to comment -