Attack Surface Reduction\Defender - Not Blocking .EXE

Phil M 60 Reputation points
2023-07-15T19:36:12.5966667+00:00

I have an interesting situation where an unsigned .EXE is being allowed to run even though everything I know about my setup seems to indicate it should be blocked.

The .EXE is an in-house developed, unsigned .EXE. That is why I'm using it to test this new secure environment.

When I log into the environment, the .EXE launches whether or not I'm a local admin.

My attack surface reduction rules are all set to BLOCK, particularly the one related to 'Prevalence, Age, or Trusted List Criterion'.

Does anyone know how I would go about figuring out what setting is missing to ensure this, and other unsigned .EXEs are blocked?

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,282 questions
Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
376 questions
0 comments No comments
{count} votes

Accepted answer
  1. Konstantinos Passadis 17,456 Reputation points MVP
    2023-07-22T18:33:37.0766667+00:00

    Hello @Phil M !

    i did commented but something got lost !

    Anyway what i was saying is that the EXE by itself , as a non threatening , evasive file or procedure , it does not even bother Cloud Protection and ASR of Defender

    I think you can find a case to make Tests on the Defender Testground

    https://demo.wd.microsoft.com/

    Otherwise you have to make the EXE actually do something that may be considered as a threat , therefore as not signed it will get blocked !

    I hope this helps !

    Kindly mark the answer that helped as Accepted and Upvote !

    Regards

    1 person found this answer helpful.

3 additional answers

Sort by: Most helpful
  1. Konstantinos Passadis 17,456 Reputation points MVP
    2023-07-15T19:53:50.21+00:00

    Hello @Phil M !

    I will ask you a maybe obvious thing but bare with me !

    Did you read this :

    https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion

    Block executable files from running unless they meet a prevalence, age, or trusted list criterion

    This rule blocks executable files, such as .exe, .dll, or .scr, from launching. Thus, launching untrusted or unknown executable files can be risky, as it might not be initially clear if the files are malicious.

    Important

    You must enable cloud-delivered protection to use this rule.

    The rule Block executable files from running unless they meet a prevalence, age, or trusted list criterion with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. This rule uses cloud-delivered protection to update its trusted list regularly.

    You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.

    Intune name: Executables that don't meet a prevalence, age, or trusted list criteria

    Configuration Manager name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria

    GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25

    Advanced hunting action type:

    • AsrUntrustedExecutableAudited
    • AsrUntrustedExecutableBlocked

    Dependencies: Microsoft Defender Antivirus, Cloud Protection

    Could you verify the config and if possible send some screenshots or info ?

    Thank you !

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards


  2. Konstantinos Passadis 17,456 Reputation points MVP
    2023-07-17T14:29:29.04+00:00

    Hello @Phil M !

    The assumption is quite generic , i dont think this is the case

    Since the EXE does not perform any type of Attack , or it just sits there . it might not fit the profile to be blocked

    if the unsigned EXE file is not performing any of the behaviors targeted by your ASR rules, and if it hasn't been marked as malicious by Microsoft Defender's real-time protection or cloud-delivered protection, it may not be blocked.

    It all comes down to the Engine and how it classifies the FIle !

    Try to generate more pointers to it , share it , upload it , send it inside the Org via Email and se what happens!

    I will try to replicate the same issue , but i think you get my point

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards


  3. Phil M 60 Reputation points
    2023-07-22T15:59:26.88+00:00

    Hi Konstantinos, I was sending Comments as opposed to 'Answers'. I'm not sure which I am supposed to use for correspondence.

    Anyways, my assumption is that Defender is not concerned with that file. It shows no Malware and no Alerts related to that file.

    Still, I wish there was a way to block all unsigned executables in a secure environment.

    The closes I can find is a GPO that prevents unsigned executables from being ELEVATED. But, I cannot determine if there is anything to prevent their launch at all.

    Does anyone have any advice? I believe, as far as Intune\ASR\Defender goes, I have the related settings maxed out.

    0 comments No comments