Microsoft has addressed a false positive triggered by a buggy Microsoft Defender ASR rule that would delete application shortcuts from the desktop, the Start menu, and the taskbar and, in some cases, render existing shortcuts unusable as they couldn’t be used to launch the linked apps.
The issue affected app shortcuts across onboarded devices after the Microsoft Defender for Endpoint attack surface reduction (ASR) rule was triggered erroneously.
When working correctly, this ASR rule (known as “Block Win32 API calls from Office macro” in Configuration Manager and “Win32 imports from Office macro code” in Intune) should block malware from using VBA macros to call Win32 APIs.
“Malware can abuse this capability, such as calling Win32 APIs to launch malicious shellcode without writing anything directly to disk,” Microsoft explains.
“Most organizations don’t rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.”
While normally, this would help reduce the attack surface threat actors could use to compromise devices protected by Microsoft Defender Antivirus, a bad Defender signature (1.381.2140.0) caused the ASR rule (Rule ID: 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b) to misbehave and trigger against users’ app shortcuts, falsely tagging them as malicious.
Windows admins are reporting that the ASR rule is deleting shortcuts belonging to both Microsoft apps and third-party apps.
“We’ve recently onboarded our estate to Defender for Endpoint and we’ve had a number of reports this morning that their program shortcuts (Chrome, Firefox, Outlook) have all vanished following a reboot of their machine, which has also occurred for me too,” one admin said.
“We’re seeing exactly the same issue. I’ve had to push a policy update to set this rule into Audit mode instead of Block – as it’s trashing almost all 3rd party apps and even first party ones as you’ve also said – Slack, Chrome, Outlook,” another one confirmed.
To address the issue, Microsoft has disabled the offending ASR rule and has asked customers to check SI MO497128 in the admin center for more updates.
We’ve identified that a specific rule was resulting in impact. We’ve reverted the rule to prevent further impact whilst we investigate further. For more information, please follow the SI MO497128 in your admin center.
— Microsoft 365 Status (@MSFT365Status) January 13, 2023
In the latest admin center update, Microsoft said the reverted ASR rule needs several hours to propagate to all affected customers and advised placing it in Audit mode or fully disable it.
“We reverted the offending ASR rule, however, this change is propagating throughout the environment and could take several hours to complete,” Microsoft said.
“We recommend that you take action to place the offending ASR rule into Audit Mode and prevent further impact until the update has completed deployment.”
You can put the ASR rule to Audit Mode using one of the following methods:
Using Powershell: Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions AuditMode
Using Group Policy
The fourth option is to set the rule to disabled mode using the following Powershell command:
Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions Disabled
Until the issue is completely fixed and all deleted shortcuts can be restored, Microsoft advised customers to directly launch Office apps using the Office app or the Microsoft 365 app launcher.
System administrators have created PowerShell scripts [1, 2] that attempt to restore Microsoft Office and other application shortcuts to the Start Menu. However, these should be tested before being used in production.
During the last two years, Windows admins have had to deal with multiple other Microsoft Defender for Endpoint false positives.
Almost a year ago, a wave of Defender for Endpoint alerts tagged Office updates as malicious in warnings pointing to ransomware behavior detected on Windows endpoints.
Defender ATP also blocked Office documents and some Office executables from opening or launching in November 2021 due to another false positive tagging the files Emotet malware payloads.
One month later, in December 2021, it mistakenly displayed “sensor tampering” alerts linked to the Microsoft 365 Defender scanner for Log4j processes.
Similar Defender for Endpoint false positive issues had shown alerts of network devices infected with Cobalt Strike and tagged Chrome updates as PHP backdoors.