Microsoft Defender ASR rules remove icons and apps shortcuts from Taskbar

F

ForgottenSeer 97327

@Andrezj
I am using the same, only boot menu option instead of recovery CD. At normal boot it is offered as an option. When windows is totally down, the recovery offers this as an alternative OS. That is why I never used a recovery CD
1673733254823.png
 

piquiteco

Level 14
Oct 16, 2022
626
Microsoft reminds all it's Friday the 13th as Defender deletes shortcuts on Windows 10

I was also affected by this, how sad, I won't even go into details, one of my laptops died and wouldn't turn on anymore, when I went to the other laptop I was passing my stuff to another laptop, my shortcuts started to disappear from the desktop. Whether it is because it was Friday the 13th I don't know, but everything happened on that blessed day, Friday the 13th. Coincidence? maybe, very likely to be the Hard_Configurator settings that I did exaggerated @BryanB know that I will stop here, if not the witches may appear again, now I remembered only in October 13 will fall on a Friday :(

Imagine when you forgot System Restore even you are IT guy, actually why didn't think this before? when i see all icons are gone i was like damn! ffs i thought i reinstall all softwares again later because i was too lazy i saw your post it worked! thank you! giving you 🍪🍪 dont tell any staff, go to your DM as private and eat it there dude!
I have Macrium,Acronis,AOMEI Backupper, RollBack Rx, Restore Point, etc ... but I had just formatted this laptop and it is installing some apps that I use and updating, I was almost done, and suddenly the icons began to disappear. There was only one Restore Point in Windows, it was just restore, after I saw the news that it was the Microsoft Defender ASR rule in the BleepingComputer Buggy Microsoft Defender ASR rule deletes Windows app shortcuts then it was already too late, I had already kicked the bucket, I will have to recreate the shortcuts one by one playing Microsoft 😵‍💫
 
F

ForgottenSeer 97327

Funfacts when restoring images

For fun I wanted to see whether my quadruple whitelist security layers impacted the startup for a few programs and decided to test the startup delay with AppTimer with no security enabled. I noticed that Edge could not be tested anymore with AppTimer, because AppTimer was denied launching Edge (on both my Windows10 desktop without security and my wife's Windows 11 laptop with Avira Free). So it seems that security mechanisms are being added by Microsoft silently.

Another thing I noticed. When I decided to go back to my previous image, I promoted my standard user to admin again. Until @AndyFull mentioned the scoop about AppLockerHome, I was playing with the setup I mentioned at @Gandalf_The_Grey security setup (using Windows WDAC Intelligent Security Graph in stead of Smart App Control). So I buckled up that image (WDAC with ISG) and installed Avira Free (because that is what I installed on my wife's laptop after Defender eating up icons). I always used the unsigned AppTimer to check whether ISG was working.

As I advised @Gandalf_The_Grey I ran WDAC in Audit mode, next round wiith Audit on boot-failure, than fully enabled. As expected WDAC ISG allowed AppTimer in Audit, Blocked it when with the safety net "Audit on boot failure" enabled. To my surprise when I ran WDAC all enabled, it allowed AppTimer to run. I thought something was messed up, so I made a specific deny rule for AppTimer and this blocked AppTimer from running.

Conclusion: during the 30 minutes playing with WDAC ISG, the Intelligent Security Graph had decided that the unsigned AppTimer was harmless and changed its policy from block to allow. (y) So ISG really seems to learn now that Microsoft is sharing this backbone for SAC (and SmartScreen) also. This is a change (I used AppTimer since 2019 to test whether my WDAC is working, so this is definitely a change for the better).
 
Last edited by a moderator:

wat0114

Level 11
Verified
Top Poster
Well-known
Apr 5, 2021
547
@Andrezj
I am using the same, only boot menu option instead of recovery CD. At normal boot it is offered as an option. When windows is totally down, the recovery offers this as an alternative OS. That is why I never used a recovery CD.

I've added the boot menu option and tested, all works great. Thanks for pointing this out. I would still keep a rescue boot disk on hand just in case of a physical hdd failure.
 
F

ForgottenSeer 97327

I've added the boot menu option and tested, all works great. Thanks for pointing this out. I would still keep a rescue boot disk on hand just in case of a physical hdd failure.
Remember when Windows crashes to the point it does not show menu boot options anymore, invoke windows startup recovery (by forcing reboot a few times through PC-start button) and search for "start/launch another/different OS" (I don;t remember exactly). When you choose that option the Macrium Reflect PE-environment option will show up. (y)

I also have a recovery CD, but have not used it ever. I will burn a new one because I am on Free Macrium V8 now (and downloads will also disappear at eol I guess).
 

wat0114

Level 11
Verified
Top Poster
Well-known
Apr 5, 2021
547
Remember when Windows crashes to the point it does not show menu boot options anymore, invoke windows startup recovery (by forcing reboot a few times through PC-start button) and search for "start/launch another/different OS" (I don;t remember exactly). When you choose that option the Macrium Reflect PE-environment option will show up. (y)

Even if the hdd physically crashes? I might be misunderstanding the boot menu functionality 🤔
 
  • Like
Reactions: franz and piquiteco

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
I also had to restore a system image (I moved from Macrium Free to Hasleo Backup Suite Free). The damage that was done by this issue was too much to fix. I wasn't even home for a few days and my brother who came to visit from abroad had to suffer from this issue on my PC. He knows how to use PC, but has no idea/interest in security related things. So he had no clue what happened and was a bit worried. Some other office related ASR rules are not user-friendly either. I saw quite a few blocks in the protection history when I got back home from the time when my brother worked on MS Word. For example, simply converting docx to pdf gives you a block because by default MS Word is set to immediately open the PDF after conversion. This opens as a child process of Word hence get blocked by the child process related ASR rule. PDF is created alright, but the block would confuse an average user.
Anyway, this shortcut issue was a heavy mess! Now installed a very good third-party AV so that my bro can do his work without any issue. It's a more user-friendly approach.
 
Last edited:

piquiteco

Level 14
Oct 16, 2022
626
Anyway, this shortcut issue was a heavy mess! Now installed a very good third-party AV so that my bro can do his work without any issue. It's a more user-friendly approach.
I, too, think I will install a third party AV, I don't trust MD anymore, this is not the first time it happens that Microsoft sends a signature with a bug or pushes an update and start deleting user files. In third-party AVs can this happen? yes, of course any AV can happen, to err is human, after all AVs are developed by humans. But as MD comes already installed and integrated in Win10 and Win11 it is almost impossible to deactivate it. The thing is that if I use a third party AV, I will be prepared in case something happens, I will have a backup image, snapshot,etc... I just need to restore and go back to the previous state. On the other laptop that died I was using CIS, I should have followed my instinct and installed CIS, maybe this wouldn't have happened. Ha, there I had RBX installed even if I had MD, it was just back a snapshot 30 seconds would be all back to normal. Before blaming Microsoft and Hard_Configurator, if I had the MD with the default ASR rules, would this have happened? I will leave some screenshots of the default ASR rules in MD. And then just below the second spoiler adjustments made by Hard_Configurator to top.😉
1673866069236.png
1673866120988.png
1673866840807.png
1673866533496.png
1673866584099.png
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Anyway, this shortcut issue was a heavy mess! Now installed a very good third-party AV ...
This can be a pretty common reaction to such a blooper, which could be easily avoided by Microsoft with a simple test. Imagine how big problems this issue caused in the small and medium businesses where people use Defender for Endpoint.
 

piquiteco

Level 14
Oct 16, 2022
626
This can be a pretty common reaction to such a blooper, which could be easily avoided by Microsoft with a simple test. Imagine how big problems this issue caused in the small and medium businesses where people use Defender for Endpoint.
And why didn't they test it on a VM or on a production machine, before sending out this buggy update? That's what I don't understand.:confused:
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
For an unknown reason, only one of my 3 (home computers) was affected - all had enabled the faulty ASR rule. The issue happened on the computer of my wife (Windows 11), but she uses only a few shortcuts, so I repaired it in 5 minutes after looking into the ConfigureDefender log (the faulty ASR rule was exposed in the log).
The same problem happened to one of my friends, but she uses the computer for simple tasks and still can run applications from the start menu (we will meet in a few days, so I will be able to repair the issue).
A real problem can be for users who cannot get occasional help from more experienced ones. I think that such users should use the AV with default settings (Defender or any other). Usability issues can come sooner or later with advanced settings.
 
Last edited:

wat0114

Level 11
Verified
Top Poster
Well-known
Apr 5, 2021
547
Anyway, this shortcut issue was a heavy mess! Now installed a very good third-party AV so that my bro can do his work without any issue. It's a more user-friendly approach.

I spent more time than I probably should have trying to restore the few missing icons from this debacle, in particular the transparent edge icon, by trying suggestions via forum responses and Google searches, before utilizing the mere formality of restoring a recent image, but that's just me being stubborn. Still, I can't justify replacing free Defender with a yearly paid product because of this isolated incident, although I realize this would definitely have created far more grief for some, especially for small-medium businesses as @Andy Ful alluded to above.

For me this once again just re-enforces how important it is to keep a recent system image on hand that can be reliably restored if needed.

EDIT

Believe it or not, there was also a bit of strategy in my delaying the image restore, as I wanted to be sure MS fixed the issue first.
 

piquiteco

Level 14
Oct 16, 2022
626
For me this once again just re-enforces how important it is to keep a recent system image on hand that can be reliably restored if needed.
Exactly, I didn't have a recent image backup, mine was worse, because I had just formatted it and was finishing installing some apps and updating the browsers, after the end I was going to make a backup, because everything I use, was on another laptop that presented a problem, after almost finishing the tasks on this new laptop the shortcuts started to disappear, I thought it was a malware, the funniest thing, everyone will laugh at my comment, but it's true what I'm saying, I'll be honest, I should have recorded a video showing what happened on my Desktop, as the shortcuts disappeared, I noticed that the shortcuts were disappearing, I would access other shortcuts on the Desktop that hadn't been deleted yet, when I clicked on the app's shortcut, it disappeared, and it was like that for several consecutive times, as if something was playing with me lol :LOL:
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I thought it was a malware, the funniest thing, everyone will laugh at my comment, ...
That is normal. I also had it in mind when my wife told me about this issue. But, the ConfigureDefender log showed a different story.
Anyway, the lost shortcuts are not a good promotion of Microsoft Defender for Endpoint. I think that Microsoft can lose a lot of money due to this event.
 

Captain Holly

Level 5
Verified
Well-known
Jan 23, 2021
227
I use MD Home version. I don't think my laptop was affected by the bug but mysteriously for some reason my MS Photos app would not work today. I had not used it for a week or so prior. I had to do a repair on the photos app and it worked again but I don't know what caused the problem.

My question is since MD is always running in the background and can still do a periodic scan even when you have a third party AV installed, would another bad MD update still cause a problem? Or is the third party AV going to block the update? Is the third party AV a good solution to to the update problems?

To err is human and I understand people make mistakes but if this problem happened in the Enterprise Business edition of MD, who knows what kind of problems might occur for us lowly home edition users? I am trying to keep my faith in MD but am not so sure what to do right now.

C.H.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top