Microsoft has fixed a false positive triggered by a buggy Microsoft Defender ASR rule that would remove application shortcuts from the desktop, start menu, and taskbar.
The issue affected app shortcuts on embedded devices after Microsoft Defender for Endpoint’s Attack Surface Reduction (ASR) rule was erroneously triggered.
When working correctly, this ASR rule (called “Block Win32 API calls from Office macro” in Configuration Manager and “Win32 imports from Office macro code” in Intune) should prevent malware from ‘use VBA macros to call Win32 APIs.
“Malware can abuse this ability, for example by calling Win32 APIs to launch malicious shellcode without writing anything directly to disk,” Microsoft said. Explain.
“Most organizations don’t rely on the ability to call Win32 APIs in their day-to-day operation, even if they use macros in other ways.”
While normally this would help reduce the attack surface that threat actors could use to compromise devices protected by Microsoft Defender Antivirus, a bad Defender signature (1.381.2140.0) caused the ASR rule (Rule ID: 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b) misbehave and trigger against users’ application shortcuts, falsely labeling them as malicious.
Windows administrators report that the ASR rule removes shortcuts belonging to both Microsoft apps and third-party apps.
“We recently integrated our domain with Defender for Endpoint and had a number of reports this morning that their program shortcuts (Chrome, Firefox, Outlook) all disappeared after a reboot of their machine, which happened also produced for me too”, an administrator said.
“We’re having the exact same issue. I had to push a policy update to set this rule to Audit mode instead of Block – as it removes almost all 3rd party apps and even 1st party ones like you also said – Slack, Chrome, Outlook”, another confirmed.
To fix the issue, Microsoft disabled the offending ASR rule and asked customers to check SI MO497128 in the admin center for more updates.
We identified that a specific rule had an impact. We’ve reverted the rule to avoid further impact while we investigate further. For more information, please follow SI MO497128 in your admin center.
— Microsoft 365 Status (@MSFT365Status) January 13, 2023
In the latest admin center update, Microsoft said the canceled ASR rule needed several hours to propagate to all affected customers and advised placing it in Audit mode or disabling it altogether.
“We have reverted the offending ASR rule, however, this change is propagating throughout the environment and could take several hours,” Microsoft said.
“We recommend that you take steps to place the offending ASR rule in Audit mode and avoid further impact until the update has completed the rollout.”
You can put the ASR rule in audit mode using one of the following methods:
- Using Powershell: Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions AuditMode
- Use Intune
- Using Group Policy
The fourth option is to set the rule to disabled mode using the following Powershell command:
Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions Disabled
Until the issue is fully resolved and all deleted shortcuts can be restored, Microsoft has advised customers to launch Office applications directly using the Office application or the Microsoft 365 App Launcher.
System administrators created PowerShell scripts [1, 2] that attempt to restore Microsoft Office and other application shortcuts to the Start menu. However, these must be tested before being used in production.