This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 24%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
I have an interesting situation where an unsigned .EXE is being allowed to run even though everything I know about my setup seems to indicate it should be blocked.
The .EXE is an in-house developed, unsigned .EXE. That is why I'm using it to test this new secure environment.
When I log into the environment, the .EXE launches whether or not I'm a local admin.
My attack surface reduction rules are all set to BLOCK, particularly the one related to 'Prevalence, Age, or Trusted List Criterion'.
Does anyone know how I would go about figuring out what setting is missing to ensure this, and other unsigned .EXEs are blocked?
Hello @Phil M !
i did commented but something got lost !
Anyway what i was saying is that the EXE by itself , as a non threatening , evasive file or procedure , it does not even bother Cloud Protection and ASR of Defender
I think you can find a case to make Tests on the Defender Testground
https://demo.wd.microsoft.com/
Otherwise you have to make the EXE actually do something that may be considered as a threat , therefore as not signed it will get blocked !
I hope this helps !
Kindly mark the answer that helped as Accepted and Upvote !
Regards
You are awesome, thanks so much.
Hello @Phil M !
I will ask you a maybe obvious thing but bare with me !
Did you read this :
Block executable files from running unless they meet a prevalence, age, or trusted list criterion
This rule blocks executable files, such as .exe, .dll, or .scr, from launching. Thus, launching untrusted or unknown executable files can be risky, as it might not be initially clear if the files are malicious.
Important
You must enable cloud-delivered protection to use this rule.
The rule Block executable files from running unless they meet a prevalence, age, or trusted list criterion with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. This rule uses cloud-delivered protection to update its trusted list regularly.
You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
Intune name: Executables that don't meet a prevalence, age, or trusted list criteria
Configuration Manager name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
Advanced hunting action type:
Dependencies: Microsoft Defender Antivirus, Cloud Protection
Could you verify the config and if possible send some screenshots or info ?
Thank you !
I hope this helps!
Kindly mark the answer as Accepted and Upvote in case it helped!
Regards
Hi Konstantinos, I have confirmed the following:
I am not sure what other settings factor into this. OR, perhaps that .EXE is somehow considered 'safe'.
I am certain that I am just missing some important factor here. How do I investigate why Defender is ignoring this .EXE?
P
Hi Konstantinos, I have been digging into this more, so this is an elaboration on my message from 12:22.
As mentioned above, ASR is in BLOCK mode and Cloud Delivered Protection is on.
I also validated that 'Join MAPS' is 'Yes', Block at first Sign is 'On', and Network Protection is in block mode. PUA protection is 'On'.
I also tried changing the 'Cloud Block Level' from 0 to 6. I discovered this setting via the Get-MPPreference PowerShell command.
So, perhaps I am just not understanding how ASR and Defender works, but my assumption is that any home-developed and unsigned executables should be blocked. I was using this executable as a good test of how strict my environment is.
Is my assumption correct that this .EXE should not be allowed to run? I found the .exe mentioned in the Defender 'Timeline' but I cannot find anywhere where it tells me what 'verdict' it has on the .exe.
I'm lost.
Hi Konstantinos
I investigated the Defender page for this application.
It shows no alerts, and no malware. I guess it deemed it safe so it allowed it to open.
It looks like ASR is working and its analysis of the file was OK.
If you know if a way of blocking all files that are unsigned, please let me know.
There is a GPO that prevents unsigned files from being ELEVATED, but I can't see anything that simply prevents all unsigned files from launching. Maybe that's an unusual request.
Hello @Phil M !
The assumption is quite generic , i dont think this is the case
Since the EXE does not perform any type of Attack , or it just sits there . it might not fit the profile to be blocked
if the unsigned EXE file is not performing any of the behaviors targeted by your ASR rules, and if it hasn't been marked as malicious by Microsoft Defender's real-time protection or cloud-delivered protection, it may not be blocked.
It all comes down to the Engine and how it classifies the FIle !
Try to generate more pointers to it , share it , upload it , send it inside the Org via Email and se what happens!
I will try to replicate the same issue , but i think you get my point
I hope this helps!
Kindly mark the answer as Accepted and Upvote in case it helped!
Regards
Thanks Konstantinos, thanks for helping me think through this.
I was originally thinking that any unsigned files were blocked without question (in my configuration), but perhaps I was too generic as you stated.
Is there a good way to know how the engine classified the file? I'm not sure how to use Advanced Hunting but I could check that out.
I'll look for another example of an unsigned file and try it with that, too.
Thanks
Hi Konstantinos, I was sending Comments as opposed to 'Answers'. I'm not sure which I am supposed to use for correspondence.
Anyways, my assumption is that Defender is not concerned with that file. It shows no Malware and no Alerts related to that file.
Still, I wish there was a way to block all unsigned executables in a secure environment.
The closes I can find is a GPO that prevents unsigned executables from being ELEVATED. But, I cannot determine if there is anything to prevent their launch at all.
Does anyone have any advice? I believe, as far as Intune\ASR\Defender goes, I have the related settings maxed out.