Windows Defender: Attack Surface Reduction - No Events in EventLog for some blocked actions

Question

I have some ASR rules activated (set to Block) for my clients, like "Block process creations originating from PSExec and WMI commands" or "Block JavaScript or VBScript from launching downloaded executable content".

While testing the rules it seems like, they work as intended but in the event viewer (as explained here) I only get an event (ID 1021) for some blocked ASR Rules . For examplem, the "Block JavaScript or VBScript from launching downloaded executable content". I used a simple script js to test it:

var xmlHttp = WScript.CreateObject("MSXML2.XMLHTTP");
xmlHttp.open("GET", "https://www.bing.com", false);
xmlHttp.send();

// SCPT:JSRunsFile
var shell = WScript.CreateObject("WScript.Shell");
shell.Run("notepad.exe");

I see an event in th Event Viewer with the ID 1021 and a reference to my script.

But while testing the Rule "Block process creations originating from PSExec and WMI commands" with running a simple vbs script the creation of the process is blocked (Return Value: 2) but no event in the event Log shows up? the vbs:

// SCPT:xmlHttpRequest
var xmlHttp = WScript.CreateObject("MSXML2.XMLHTTP");
xmlHttp.open("GET", "https://www.bing.com", false);
xmlHttp.send();

// SCPT:JSRunsFile
var shell = WScript.CreateObject("WScript.Shell");
shell.Run("notepad.exe");

Tested on a Win 10 and Win 11 Client with the same result. Is there something I am missing?

Answer 1

Hi, I'm David.

The Microsoft Community is a forum for home users.

Due to the scope of your question, I suggest you access the link below, which will direct you to the Microsoft Q&A page.

https://learn.microsoft.com/en-us/answers/index...

Microsoft Q&A has IT professionals and system admins who can best help with this type of question.

Best regards.