Replies: 1 comment 8 replies
-
|
Hi, 
I really like to look at them. I haven't had any issues with the new ASR rules. I use VS code, GitHub desktop that uses Git executables under the hood, i use Nanazip that uses 7zip executables under the hood, and I have Nvidia driver installed (latest game ready version). |
Beta Was this translation helpful? Give feedback.
-
|
On the sidebar in Event Viewer, after selecting the Attack Surface Reduction events you can select this 🙂 You can email them to me too if you don't wanna publicly put it here 
P.S now Nvidia driver upgraded
|
Beta Was this translation helpful? Give feedback.
-
|
I used the new NVIDIA app to install the latest driver. The app does not show these windows, and everything happens in the custom window it draws (tbh these windows that the driver draws are quite old, and the app is now drawing its own windows while updating).
Now that I have changed the ID for that rule, it no longer errors out. I didnt test it with the old experience. |
Beta Was this translation helpful? Give feedback.
-
|
Ah I have to try out the new app! But you're right that new ASR rule is causing problem for your programs, it's obvious in the logs, i think the best thing to do is setting it as an optional sub-category for the ASR category so it doesn't get applied with the rest of the rules, at least until it exits the preview phase. Sorry about that, i'll change it asap |
Beta Was this translation helpful? Give feedback.
-
|
Oh thank you! Thats great to hear! I'll mark this as complete 😃 |
Beta Was this translation helpful? Give feedback.
-
|
🙏🙏 |
Beta Was this translation helpful? Give feedback.
-
The new ASR rules added recently to the ASR table and recently enforced by the script/module in the PR #212, should be set to Audit (status ID 2) or Warn (status ID 6) until they graduate to stable.
The table shows the new rules that are in preview. And for sure, they are a little too restrictive, specifically Block use of copied or impersonated system tools (preview) (ID: c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb).
So far, this particular rule has been the most problematic for me. It has blocked several background git operations when working with several repositories, java specific executables from jetbrains IDEs, vscode and zulu (klist.exe, 7z.exe, and more), NVIDIA driver updates as it tried to extract to temp folder and tried running rundll32.exe as part of the upgrade, standalone 7z operations and many more.
As far as I can tell, many of these executables like 7z and klist are definitely not part of the system tools and it still blocked them.
I was able to mitigate this by changing the value for the rule ID in GPO to 6.
IMO, they are too unstable and way too restrictive for now and should be set to audit or warn state until they are stable enough.
I would like to hear your thoughts on this. Have you had any issues on your side?
Beta Was this translation helpful? Give feedback.
All reactions