Replies: 1 comment 8 replies
-
Beta Was this translation helpful? Give feedback.
8 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
The new ASR rules added recently to the ASR table and recently enforced by the script/module in the PR #212, should be set to Audit (status ID 2) or Warn (status ID 6) until they graduate to stable.
The table shows the new rules that are in preview. And for sure, they are a little too restrictive, specifically Block use of copied or impersonated system tools (preview) (ID: c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb).
So far, this particular rule has been the most problematic for me. It has blocked several background git operations when working with several repositories, java specific executables from jetbrains IDEs, vscode and zulu (klist.exe, 7z.exe, and more), NVIDIA driver updates as it tried to extract to temp folder and tried running rundll32.exe as part of the upgrade, standalone 7z operations and many more.
As far as I can tell, many of these executables like 7z and klist are definitely not part of the system tools and it still blocked them.
I was able to mitigate this by changing the value for the rule ID in GPO to 6.
IMO, they are too unstable and way too restrictive for now and should be set to audit or warn state until they are stable enough.
I would like to hear your thoughts on this. Have you had any issues on your side?
Beta Was this translation helpful? Give feedback.
All reactions