Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
ConfigureDefender utility for Windows 10/11
Message
<blockquote data-quote="Andy Ful" data-source="post: 901639" data-attributes="member: 32260"><p><span style="font-size: 18px"><strong>ASR exclusions.</strong></span></p><p></p><p>ASR rules are part of WD behavior blocking and work after the suspicious action is taken by running processes. Such protection could be also called advanced HIPS or behavior blocker (on-execution and post-execution blocking). Most ASR rules work locally (no cloud backend), but they have to be updated from time to time. </p><p></p><p>There is one ASR rule (eg. "<span style="color: rgb(184, 49, 47)"><strong>Block executable files from running unless they meet a prevalence, age, or trusted list criteria</strong></span>" with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25) which highly depends on the cloud backend.</p><p>This rule is a valuable additional protection against malicious executables (EXE, SCR, DLL, etc.), but can produce false positives for not-popular applications. In such a case, WD blocks access to the executable so it cannot be executed, copied, or uploaded. This can be annoying because (rarely) some applications can be blocked for several days. Furthermore, after disabling this ASR rule and installing the application, it will be usually blocked after enabling the rule.</p><p></p><p>So, what to do?</p><p>1. One can disable this rule (like in ConfigureDefender HIGH Protection Level).</p><p>2. <span style="color: rgb(0, 168, 133)"><strong>One can temporarily disable the rule, install (or update) an application, and add the ASR exclusion for the application folder.</strong></span></p><p></p><p>When adding the ASR exclusions it is worth remembering that these exclusions will be active for all ASR rules that allow exclusions (3 rules do not allow exclusions). Also, these ASR exclusions will have no impact on WD antimalware exclusions.</p><p>It seems, that adding the exclusion for "Program Files" (or "Program Files (x86)") folder does not decrease much the ASR protection, but one should not exclude the Windows system folder.</p><p>Excluding the application folders in the UserProfile could be in theory exploited by the attacker, but I did not see it in the wild. So, probably it is better to keep this ASR rule activated with some folder exclusions than not using it at all.</p><p></p><p>Please, post here about your own experience related to ASR rules and ASR exclusions. <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite130" alt="(y)" title="Thumbs up (y)" loading="lazy" data-shortname="(y)" /></p></blockquote><p></p>
[QUOTE="Andy Ful, post: 901639, member: 32260"] [SIZE=5][B]ASR exclusions.[/B][/SIZE] ASR rules are part of WD behavior blocking and work after the suspicious action is taken by running processes. Such protection could be also called advanced HIPS or behavior blocker (on-execution and post-execution blocking). Most ASR rules work locally (no cloud backend), but they have to be updated from time to time. There is one ASR rule (eg. "[COLOR=rgb(184, 49, 47)][B]Block executable files from running unless they meet a prevalence, age, or trusted list criteria[/B][/COLOR]" with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25) which highly depends on the cloud backend. This rule is a valuable additional protection against malicious executables (EXE, SCR, DLL, etc.), but can produce false positives for not-popular applications. In such a case, WD blocks access to the executable so it cannot be executed, copied, or uploaded. This can be annoying because (rarely) some applications can be blocked for several days. Furthermore, after disabling this ASR rule and installing the application, it will be usually blocked after enabling the rule. So, what to do? 1. One can disable this rule (like in ConfigureDefender HIGH Protection Level). 2. [COLOR=rgb(0, 168, 133)][B]One can temporarily disable the rule, install (or update) an application, and add the ASR exclusion for the application folder.[/B][/COLOR] When adding the ASR exclusions it is worth remembering that these exclusions will be active for all ASR rules that allow exclusions (3 rules do not allow exclusions). Also, these ASR exclusions will have no impact on WD antimalware exclusions. It seems, that adding the exclusion for "Program Files" (or "Program Files (x86)") folder does not decrease much the ASR protection, but one should not exclude the Windows system folder. Excluding the application folders in the UserProfile could be in theory exploited by the attacker, but I did not see it in the wild. So, probably it is better to keep this ASR rule activated with some folder exclusions than not using it at all. Please, post here about your own experience related to ASR rules and ASR exclusions. (y) [/QUOTE]
Insert quotes…
Verification
Post reply
Top
