Categories
Internet Latest news

Windows Defender: Attack Surface Reduction – No Events in EventLog for some blocked actions

Windows Defender Device Guard: Attack Surface Reduction

Dear community,

I am experiencing a relatively strange behavior using Attack Surface Reduction from the Defender Device Guard.

As recommended in the baseline security 1809, I did activate the recommended ASR rules; one of them being “Block untrusted and unsigned processes that run from USB” – elaborated

here
.

I did create an unsigned application using Visual studio and C#. Runs fine on the build machine.

Starting it from a USB drive, Defender Application Guard blocks the application (Code 1121, ID b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4). Intended and expected behavior.

Copying the previously started (and blocked) application to the local disk and trying to start it from there, it gets blocked again. Not so expected behavior.

Renaming this executable on the local disk to “xyz_.exe” it is not blocked. Renaming it to its once blocked at USB name, it gets blocked again.

Does anybody have an idea, if the names of the blocked application are cached in some way or why this behavior occurs?

Kind regards