Windows-itpro-docs: Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
This rule is very unclear. What is the required prevalence? And even more important: What is considered as "trusted list"?
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: f9de2e9a-c4c1-3763-6160-9427556291f1
- Version Independent ID: 74160e2f-0f99-a37f-7123-81a31a6fab61
- Content: Use Attack surface reduction rules to prevent malware infection
- Content Source: windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
- Product: w10
- GitHub Login: @andreabichsel
- Microsoft Alias: v-anbic
vrdse
All 17 comments
These criteria would be determined by administrators as the result of an analysis of the software being used legitimately within the organization. As such, each organizations' criteria would be different according to need.
Hope that helps.
egallagh
on 7 Sep 2018
It's great if administrators can determine these parameters, but the documentation should state how.
All I found is how to configure the rule in terms of enable/audit/disable and exclusions.
vrdse
on 7 Sep 2018
One company my need to use some sort of recording software to document what is done within a system. In another company, using recording software may violate compliance or privacy rules. There is no way that Microsoft can determine what needs your organization has. Nor can it determine what needs to be analyzed or what form that analysis should take. It can be a difficult task for officials within an organization to go through this process, in part because of the differences between industries and even businesses within an industry.
egallagh
on 7 Sep 2018
@vrdse Take a look over at the ISACA (Information Systems Audit and Control Association) for an overview of the process of a Security Assessment : Performing a Security Risk Assessment.
OftKilted
on 7 Sep 2018
@OftKilted Good recommendation!
egallagh
on 8 Sep 2018
Thank you for your efforts, but that's not what I meant. The documentation states
This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list:
According to @egallagh the configuration for prevalence, the trusted list and the exclustion list is configured by the administrator.
From Customize attack surface reduction I know that, the exclusion list - which can conatin files and folders - is configured by Group Policy, PowerShell, or MDM CSPs.
If I can configure the prevalence (threshold?) and a trust list too, where can I do so? GPO? PoweShell? MDM CSP? PowerShell?
I believe that prevalence and trust list can actually not be configured by the administrator. But then again, I'am aksing for transparency. Who is trusted? How is prevalence measured?
vrdse
on 8 Sep 2018
There is no documentation online about this ASR rule, after lots of searching. What is the actual trusted criteria list? What are the age or prevalence criteria?
thedrum808
on 20 Nov 2018
I have gotten confirmation from MS that they do, in fact, control the criteria for the "Block executable files from running unless they meet a prevalence, age, or trusted list criteria -
01443614-cd74-433a-b99e-2ecdc07bfc25". The criteria is NOT specified by admins. It uses Microsoft's cloud protection to update its trusted list regularly. This documentation needs to be updated in order to reflect this.
thedrum808
on 30 Nov 2018
@officedocsbot assign @mypil
mypil
on 3 Apr 2019
Added important note on PR #3148
j0rt3g4
on 3 Apr 2019
@vrdse : Hope you feel that your question has been answered.
Thank you for your question and follow-ups.
illfated
on 3 Apr 2019
Perhaps the article can be updates to reflect this information?
Get Outlook for Androidhttps://aka.ms/ghei36
From: Trond B. Krokli notifications@github.com
Sent: Wednesday, April 3, 2019 12:49:22 PM
To: MicrosoftDocs/windows-itpro-docs
Cc: thedrum808; Comment
Subject: Re: [MicrosoftDocs/windows-itpro-docs] Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria (#1593)
@vrdsehttps://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fvrdse&data=02%7C01%7C%7C62f42c573e204c30c5e608d6b86d7894%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636899177640260684&sdata=aU3PpQTwZ37OOZ5SvRONFtbsFkDn3TecIzxl5M4P87s%3D&reserved=0 : Hope you feel that your question has been answered.
Thank you for your question and follow-ups.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHubhttps://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fwindows-itpro-docs%2Fissues%2F1593%23issuecomment-479633369&data=02%7C01%7C%7C62f42c573e204c30c5e608d6b86d7894%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636899177640270695&sdata=8vgu2OhQRmAVkL4lZ1wsrO%2BE0a9tSqXDCQOCDP66dFs%3D&reserved=0, or mute the threadhttps://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAj0ZeK5MHZ6OOxk-Xk43YZ-fG9XzHQnoks5vdQXCgaJpZM4WdCBZ&data=02%7C01%7C%7C62f42c573e204c30c5e608d6b86d7894%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636899177640290710&sdata=mMEut1KaXp45dZ2YsBhr6yJ0tBcQ9xlttHAdbOTp87g%3D&reserved=0.
thedrum808
on 3 Apr 2019
It's updated with this information, the thing is that you have to give it some time to see it published in public.
j0rt3g4
on 3 Apr 2019
Got it, thanks! #pleaseclose
Get Outlook for Androidhttps://aka.ms/ghei36
From: Jose Gabriel Ortega Castro notifications@github.com
Sent: Wednesday, April 3, 2019 1:20:54 PM
To: MicrosoftDocs/windows-itpro-docs
Cc: thedrum808; Comment
Subject: Re: [MicrosoftDocs/windows-itpro-docs] Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria (#1593)
It's updated with this information, the thing is that you have to give it some time to see it published in public.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHubhttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fwindows-itpro-docs%2Fissues%2F1593%23issuecomment-479643783&data=02%7C01%7C%7Cd0a6484416194162668808d6b871e07e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636899196561690287&sdata=b0IwlpHmbpKpVm8bz9eGWTiKsuub%2BGu29QYVJ2aNiIs%3D&reserved=0, or mute the threadhttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAj0ZeIkR6Kh-VhNXUo65BOl8ninFaAKlks5vdQ0mgaJpZM4WdCBZ&data=02%7C01%7C%7Cd0a6484416194162668808d6b871e07e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636899196561700297&sdata=%2BDSHt%2BlkHTJMKlhyFNtz3vFSR7J2AivPtcAupXeHgNI%3D&reserved=0.
thedrum808
on 3 Apr 2019
The change is here: https://github.com/MicrosoftDocs/windows-itpro-docs/pull/3138/files/6c520d261f39ef3fd6ece81a4138bea1a4cff851
I added it the Important note :)
j0rt3g4
on 3 Apr 2019
@vrdse - From our understanding, the issue has been resolved but it may take a few days for the merged content to appear in the article. If you feel it hasn't been resolved, please re-open this issue.
Thank you for your contribution to make the docs better! Much appreciated!
mypil
on 8 Apr 2019
@officedocsbot close
mypil
on 10 Apr 2019
Related issues
illfated
·
3Comments
michalzobec
·
3Comments
helloitsliam
·
3Comments
LanceMcCarthy
·
3Comments
ang216
·
3Comments
Most helpful comment
I have gotten confirmation from MS that they do, in fact, control the criteria for the "Block executable files from running unless they meet a prevalence, age, or trusted list criteria -
01443614-cd74-433a-b99e-2ecdc07bfc25". The criteria is NOT specified by admins. It uses Microsoft's cloud protection to update its trusted list regularly. This documentation needs to be updated in order to reflect this.