You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/attack-surface-reduction-rules-reference.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,7 +15,7 @@ ms.collection:
15
15
- m365-security
16
16
- tier2
17
17
- mde-asr
18
-
ms.date: 02/26/2025
18
+
ms.date: 03/05/2025
19
19
search.appverid: met150
20
20
---
21
21
@@ -93,7 +93,7 @@ The following ASR rules DO NOT honor Microsoft Defender Antivirus exclusions:
93
93
|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes)|
94
94
95
95
> [!NOTE]
96
-
> For information about configuring per-rule exclusions, see the section titled **Configure ASR rules per-rule exclusions** in the topic[Test attack surface reduction rules](attack-surface-reduction-rules-deployment-test.md).
96
+
> For information about configuring per-rule exclusions, see the section titled **Configure ASR rules per-rule exclusions** in the article[Test attack surface reduction rules](attack-surface-reduction-rules-deployment-test.md).
97
97
98
98
## ASR rules and Defender for Endpoint Indicators of Compromise (IOC)
99
99
@@ -179,10 +179,10 @@ Toast notifications are generated for all rules in Block mode. Rules in any othe
179
179
180
180
For rules with the "Rule State" specified:
181
181
182
-
- ASR rules with `\ASR Rule, Rule State\` combinations are used to surface alerts (toast notifications) on Microsoft Defender for Endpoint only for devices at cloud block level "High"
183
-
- Devices that not at the high cloud block level don't generate alerts for any `ASR Rule, Rule State` combinations
184
-
- EDR alerts are generated for ASR rules in the specified states, for devices at cloud block level "High+"
185
-
- Toast notifications occur in block mode only and for devices at cloud block level "High"
182
+
- ASR rules with `\ASR Rule, Rule State\` combinations are used to surface alerts (toast notifications) on Microsoft Defender for Endpoint only for devices set at the cloud block level `High`.
183
+
- Devices that are not set at the cloud block level `High`don't generate alerts for any `ASR Rule, Rule State` combinations.
184
+
- EDR alerts are generated for ASR rules in the specified states, for devices set at the cloud block level `High+`.
185
+
- Toast notifications occur in block mode only and for devices set at the cloud block level `High`.
186
186
187
187
| Rule name | Rule state | EDR alerts | Toast notifications |
188
188
|---|---|---|---|
@@ -256,7 +256,7 @@ This rule prevents an application from writing a vulnerable signed driver to dis
256
256
The **Block abuse of exploited vulnerable signed drivers** rule doesn't block a driver already existing on the system from being loaded.
257
257
258
258
> [!NOTE]
259
-
> You can configure this rule using Intune OMA-URI. See [Intune OMA-URI](enable-attack-surface-reduction.md#custom-profile-in-intune) for configuring custom rules.
259
+
> You can configure this rule using Intune OMA-URI. See [Intune OMA-URI](enable-attack-surface-reduction.md#custom-profile-in-intune-alternative-2) for configuring custom rules.
260
260
> You can also configure this rule using [PowerShell](enable-attack-surface-reduction.md#powershell).
261
261
> To have a driver examined, use this Web site to [Submit a driver for analysis](https://www.microsoft.com/en-us/wdsi/driversubmission).
0 commit comments