Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Recovering from Attack Surface Reduction rule shortcut deletions
#1
Quote:On January 13th, Windows Security and Microsoft Defender for Endpoint customers may have experienced a series of false positive detections for the Attack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro" after updating to security intelligence builds between 1.381.2134.0 and 1.381.2163.0. These detections resulted in the deletion of files that matched the incorrect detection logic primarily impacting Windows shortcut (.lnk) files.

There is no impact for customers who do not have the “Block Win32 API calls from Office macro” rule turned on in block mode or did not update to security intelligence update builds 1.381.2134.0, 1.381.2140.0, 1.381.2152 and 1.381.2163.0.

For currently impacted customers: what do I need to do?

Impacted customers will need both the updated security intelligence build, and to recover deleted files in two steps: the first for the start menu and the second for the taskbar.

The updated security intelligence build

Customers should update to build 1.381.2164.0 or later. Customers utilizing automatic updates for Microsoft Defender antivirus do not need to take additional action to receive the updated security intelligence build. Enterprise customers managing updates should download the latest update and deploy it across their environments.  The security intelligence build does not restore deleted files. If you turned “Block Win32 calls from Office macros” into audit mode per prior guidance you can now safely turn on block mode.

To recover deleted start menu shortcut lnks

Microsoft has confirmed steps that customers can take to recreate start menu links for a significant sub-set of the affected applications that were deleted. These have been consolidated into the PowerShell script below to help enterprise administrators take recovery actions in their environment.

Version 2.0 of the script is available here: MDE-PowerBI-Templates/AddShortcuts.ps1 at master · microsoft/MDE-PowerBI-Templates · GitHub

Version 2.0 Recover URLs to favorites and desktop from Volume Shadow Copy Service, restore from Volume Shadow Copy Service on by default, improvements for non-english machines and improved error handling.

This script should be run in elevated mode either admin or system. 

Instructions on how to deploy the script using Microsoft Intune are here.

To add programs to the script: edit the $program variable and add a new line with the name of the application lnk and the executable. The script does not currently restore taskbar shortcuts and Microsoft is continuing to work on a solution.

For customers that prefer manual steps rather than the script running an application repair on affected applications will recreate deleted links.  Users can run the Application Repair functionality for programs including Microsoft 365, Microsoft Edge, and Microsoft Visual Studio.

To repair an application, follow these instructions:

Windows 10:
Select Start  > Settings  > Apps > Apps & features
Select the app you want to fix.
Select Modify link under the name of the app if it is available.
A new page will launch and allow you to select repair.
Windows 11:
Type “Installed Apps” in the search bar.
Click “Installed Apps”.
Select the app you want to fix.
Click on “…”
Select Modify or Advanced Options if it is available.
A new page will launch and allow you to select repair.

More info HERE
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)