You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/troubleshoot-asr.md
+15-21Lines changed: 15 additions & 21 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ ms.localizationpriority: medium
6
6
audience: ITPro
7
7
author: denisebmsft
8
8
ms.author: deniseb
9
-
ms.date: 07/28/2023
9
+
ms.date: 11/05/2024
10
10
ms.reviewer:
11
11
manager: deniseb
12
12
ms.custom: asr
@@ -33,8 +33,8 @@ search.appverid: met150
33
33
34
34
When you use [attack surface reduction rules](attack-surface-reduction.md) you might run into issues, such as:
35
35
36
-
- A rule blocks a file, process, or performs some other action that it shouldn't (false positive)
37
-
- A rule doesn't work as described, or doesn't block a file or process that it should (false negative)
36
+
- A rule blocks a file, process, or performs some other action that it shouldn't (false positive); or
37
+
- A rule doesn't work as described, or doesn't block a file or process that it should (false negative).
38
38
39
39
There are four steps to troubleshooting these problems:
40
40
@@ -47,43 +47,37 @@ There are four steps to troubleshooting these problems:
47
47
48
48
Attack surface reduction rules only work on devices with the following conditions:
49
49
50
-
- Endpoints are running Windows 10 Enterprise or later.
51
-
52
-
- Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app causes Microsoft Defender Antivirus to disable itself](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
53
-
50
+
- Devices are running Windows 10 Enterprise or later.
51
+
- Devices are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app causes Microsoft Defender Antivirus to disable itself](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
54
52
-[Real-time protection](/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) is enabled.
55
-
56
-
- Audit mode isn't enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
53
+
- Audit mode isn't enabled. Use Group Policy to set the rule to `Disabled` (value: `0`) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
57
54
58
55
If these prerequisites are met, proceed to the next step to test the rule in audit mode.
59
56
60
-
## Best practice when setting up Attack Surface Reduction rules via Group Policy
57
+
## Best practices when setting up attack surface reduction rules using Group Policy
61
58
62
-
When setting up the Attack Surface Reduction rules via Group Policy, here are a few of the common mistakes:
59
+
When setting up the attack surface reduction rules by using Group Policy, here are a few best practices to avoid making common mistakes:
63
60
64
-
1. Make sure when adding the GUID for Attack Surface Reduction rules, there are **no double quotes** ("ASR Rules GUID") at the beginning or at the end of the GUID.
61
+
1. Make sure when adding the GUID for attack surface reduction rules, there are **no double quotes** (like this: "ASR Rules GUID") at the beginning or at the end of the GUID.
65
62
66
-
1. Make sure that there are **no spaces** at the beginning or at the end when adding the GUID for Attack Surface Reduction rules
63
+
2. Make sure that there are **no spaces** at the beginning or at the end when adding the GUID for attack surface reduction rules.
67
64
68
65
## Use audit mode to test the rule
69
66
70
67
Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](attack-surface-reduction-rules-deployment-test.md) to test the specific rule you're encountering problems with.
71
68
72
-
1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). Audit mode allows the rule to report the file or process, but allows it to run.
69
+
1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to `Audit mode` (value: `2`) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). Audit mode allows the rule to report the file or process, but allows it to run.
73
70
74
71
2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed).
75
72
76
-
3.[Review the attack surface reduction rule event logs](attack-surface-reduction.md) to see if the rule would block the file or process if the rule were set to **Enabled**.
73
+
3.[Review the attack surface reduction rule event logs](attack-surface-reduction.md) to see if the rule would block the file or process if the rule were set to `Enabled`.
77
74
78
-
If a rule isn't blocking a file or process that you're expecting it should block, first check if audit mode is enabled.
79
-
80
-
Audit mode might be enabled for testing another feature, or by an automated PowerShell script, and might not be disabled after the tests were completed.
75
+
If a rule isn't blocking a file or process that you're expecting it should block, first check to see if audit mode is enabled. Audit mode might be enabled for testing another feature, or by an automated PowerShell script, and might not be disabled after the tests were completed.
81
76
82
77
If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on preconfigured scenarios, but the rule isn't working as expected, proceed to either of the following sections based on your situation:
83
78
84
-
1. If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive).
85
-
86
-
2. If the attack surface reduction rule isn't blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data-for-file-submissions).
79
+
- If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive).
80
+
- If the attack surface reduction rule isn't blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data-for-file-submissions).
0 commit comments