Eddie Morra

I've been re-testing Attack Surface Reduction today but it seems the internals have changed since last time I tested it.

The rule for "Block Win32 API calls from Office macro" (92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B) is working differently for me now than as it did in the past.

The past behaviour I spectated was the Win32 API call being blocked dynamically, but this is no longer the case on my testing environment.

The new behaviour I am spectating is the Microsoft Office document having its access blocked by Windows Defender with a toast notification informing me of this block. It would appear that this rule now works by scanning any macro scripts under the document to determine if they are trying to introduce access to any Win32 API routines and are just rejecting the access to the document to winword.exe/other Microsoft Office processes if a Win32 API routine import is detected.


It's only been a few months since I last tested, I do not know why the behaviour is different compared to last time. I actually enabled the rule before making the PoC document, and then ran the PoC document on the testing environment, but the Win32 API calls were successful - to be precise, I was testing an OpenProcess (KernelBase.dll) call to open a handle to notepad.exe. However, when trying to close the document, Windows Defender then kicked in and blocked access to save the document, indicating that the ASR rule was kicking in and working, and that they simply block access to the document with a macro script scanner instead of bothering to intercept and block the Win32 API calls for this ASR rule.

My testing environment is Windows 10 Professional (1803) with no other security software in the way except from Windows Defender.

Andy Ful

Level 62
Content Creator
I retested all my script downloaders-droppers-runners, and I have the same impression as @Vendula Kubová. In the Windows version 1809 after the first update, the ASR rules are much stronger. They blocked all my samples, including execution via WMI. And surprise, the trick with executing PowerShell from VBscript (JScript) is now blocked, too.

Eddie Morra

I retested all my script downloaders-droppers-runners, and I have the same impression as @Vendula Kubová. In the Windows version 1809 after the first update, the ASR rules are much stronger. They blocked all my samples, including execution via WMI. And surprise, the trick with executing PowerShell from VBscript (JScript) is now blocked, too.
I agree, I am finding it much stronger than before.

One thing I really like is how they are just straight up blocking access to documents containing a macro script with Win32 API usage (for when that rule is enabled). It was a really good idea on their part to do this instead of just relying on dynamic blocking, because now attackers have less of a chance (if you don't let it run, the attacker has less chance to do anything).

I think that was a good move on their part. In fact, I prefer it this way for the specific rule I am talking about because it works well.


It's awesome that Microsoft is making moves. I don't agree with its moves. For fact of point, it is too little, too late. Especially for those who have suffered real loses precisely because of Windows. But I guess late is better than never. Because many, many more are sure to come.

To me, it makes more sense from a security perspective to make VBA a completely separate module that is not shipped with Office by default. Just me. Black is black and white is white. When I see the face of stupidity, I am just compelled to point it out. Shipping weapons fully loaded with ammunition just makes no sense. Why common sense safety isn't applied by Microsoft to Windows is just beyond me. But hey, what do I know ? I'm just an old, salty war dog.

You argue VBA cannot be made a drop-in ? On no ? You sure about that ? Check out Kingsoft WPS. At least it got it right.

But I understand that Microsoft built Office over the years and has just slapped more and more stuff on top of what was already there. And, being no one's friend, they aren't going to change it. And why would they ? When they hold the entire business world hostage with Office ? Anyhow... you're probably thinking "he said that same stuff somewhere else...".

No one acknowledges the fact that if all of Microsoft's default attack surface causes significant damage and loss, you are all on your own. No one ever mentions that. People don't get real and bitter about it until it happens to them personally. A person who loses $1,000, $10,000 or more speaks of Windows differently than someone who is a security soft geek playing with softs. Real money (not just chump change) is at-risk and lost daily. The industry has been on Microsoft about this for decades. Consumer level Windows is a security failure. Period. And if anyone tells you otherwise, it just ain't true. Some will argue "Well, that depends wholly upon your definition of 'successful' security." Really ? If someone has to argue with the answer to that question as the premise, then they obviously lack common sense.

Mind you, I get that what I just said is really a rarity for a home user. It would be very rare to have a typical user get smashed for any significant amount of money. But, then again, it's all relative. Someone who loses $300 in country A, that could be their entire life's savings accumulated over decades whereas the person who loses $5,000 in country B is no big deal. So when I speak of this stuff, my frame of reference is completely different than what the typical reader is thinking. To be quite frank, I don't care about adware and PUP "infections." That is flea-bite stuff that matters much more to the IT immature than the IT seasoned. What I am concerned most about is the stuff that damages lives. Yes, it is rare, but it does happen. We're talking home user-land.

When it comes to commercial, the damage can be like a car bomb going off. Utter chaos with literally thousands, if not millions, of dollars on the line. Don't believe me ? Ask @Slyguy what a bad breach is like. Complete panic and utter chaos. And worse, the business is at a complete standstill, turned off just like turning off a light switch.

Some argue that "Hey, we all really don't need to worry about it because the probability of infeciton is low." Sure. it's true. OK... let's all close up shop and go home now. Windows Defender is sufficient. What Microsoft feeds us is sufficient. There is a war outside, but we don't need the kevlar. The probability that a bullet will come through the walls and harm any of us is quite low. I just don't advise anyone to go near a window without that kevlar - ever. And if you do ever go outside... well, it's too little, too late... it's all over for you.

For those interested, because I don't want to be accused of marketing & promotion. What is given below is for technical information purposes only.

AppGuard has been blocking all access to defined Protected folders for over a decade. In the screenshot below, Dropbox is a defined "Access Denied" folder for Microsoft Office.

PowerShell, wscript, cscript, WMI, etc any kind of threat - meaning VBA and all that macro nonsense ? Nope. Blocked by policy.

Do I have to wonder or worry about the effectiveness of Microsoft's ASR rules ? Nope. AppGuard protections make those rules essentially pointless.

And before anyone starts spouting off nonsense, AppGuard is based upon Microsoft best practices at the Enterprise level. AppGuard makes most effective of those best practices easy to use in a very light package.

I keep pounding on engineering to make it even better. Stronger. Faster. (A reference to the six million dollar man for you old geeks out there.)

Oh well, I lied. It's really a rare purple tie moment.

Last edited by a moderator: