aztfexport.exe blocked by ASR rules
AaronHorn opened this issue · 3 comments
I've just installed aztfexport using go install github.com/Azure/aztfexport@latest
When I try to run the binary, it is being blocked by Microsoft Defender's Attack Surface Reduction (ASR) rules.
In event log:
Log Name: Microsoft-Windows-Windows Defender/Operational
Source: Microsoft-Windows-Windows Defender
Date: 16/12/2023 12:57:59
Event ID: 1121
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: <REDACTED>
Description:
Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 01443614-CD74-433A-B99E-2ECDC07BFC25
Detection time: 2023-12-16T12:57:59.495Z
User: <REDACTED>\<REDACTED>
Path: C:\Users\<REDACTED>\go\bin\AZTFEX~1.EXE
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Target Commandline:
Parent Commandline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.403.588.0
Engine Version: 1.1.23110.2
Product Version: 4.18.23110.3
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Windows Defender" Guid="{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}" />
<EventID>1121</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2023-12-16T12:57:59.4956169Z" />
<EventRecordID>11255</EventRecordID>
<Correlation ActivityID="{<REDACTED>}" />
<Execution ProcessID="4380" ThreadID="6368" />
<Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
<Computer><REDACTED></Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Product Name">Microsoft Defender Antivirus</Data>
<Data Name="Product Version">4.18.23110.3</Data>
<Data Name="Unused">
</Data>
<Data Name="ID">01443614-CD74-433A-B99E-2ECDC07BFC25</Data>
<Data Name="Detection Time">2023-12-16T12:57:59.495Z</Data>
<Data Name="User"><REDACTED>\<REDACTED></Data>
<Data Name="Path">C:\Users\<REDACTED>\go\bin\AZTFEX~1.EXE</Data>
<Data Name="Process Name">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name="Security intelligence Version">1.403.588.0</Data>
<Data Name="Engine Version">1.1.23110.2</Data>
<Data Name="RuleType">ENT\ConsR</Data>
<Data Name="Target Commandline">
</Data>
<Data Name="Parent Commandline">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name="Involved File">
</Data>
<Data Name="Inhertiance Flags">0x00000000</Data>
</EventData>
</Event>
In Windows Security:
Defender log file:
MPLog.log
The problem is because I have the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criterion" 01443614-cd74-433a-b99e-2ecdc07bfc25 (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) set.
Fix is
Set-MpPreference -AttackSurfaceReductionOnlyExclusions " C:\Users\<REDACTED>\go\bin\aztfexport.exe"
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Users\<REDACTED>\go\bin\AZTFEX~1.EXE"
But is there anything that can be done from the project side to prevent this happening?
@AaronHorn Can you try to install the tool via winget?
@AaronHorn Can you try to install the tool via
winget?
I tried this, it seems to work.
However the version Go installed also now seems to work, even with the ASR exclusions removed.