Microsoft Defender ASR rule deletes Windows app shortcuts

Microsoft has addressed a false positive triggered by a buggy Microsoft Defender ASR rule that would delete application shortcuts from the desktop, the Start menu, and the taskbar.

The issue affected app shortcuts across onboarded devices after the Microsoft Defender for Endpoint attack surface reduction (ASR) rule was triggered erroneously.

When working correctly, this ASR rule (known as “Block Win32 API calls from Office macro” in Configuration Manager and “Win32 imports from Office macro code” in Intune) should block malware from using VBA macros to call Win32 APIs.

Malware can abuse this capability by calling Win32 APIs to launch malicious shellcodes without writing anything directly to the disk.

Most organizations don’t rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.

While usually, this would help reduce the attack surface threat actors could use to compromise devices protected by Microsoft Defender Antivirus, a bad Defender signature (1.381.2140.0) caused the ASR rule (Rule ID: 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b) to misbehave and trigger against users’ app shortcuts, falsely tagging them as malicious.

Windows admins report that the ASR rule is deleting shortcuts belonging to both Microsoft and third-party apps.

“We’ve recently onboarded our estate to Defender for Endpoint, and we’ve had several reports this morning that their program shortcuts (Chrome, Firefox, Outlook) have all vanished following a reboot of their machine, which has also occurred for me, too,” one admin said.

“We’re seeing exactly the same issue. I’ve had to push a policy update to set this rule into Audit mode instead of Block – as it’s trashing almost all 3rd party apps and even first-party ones, as you’ve also said – Slack, Chrome, Outlook,” another one confirmed.

To address the issue, Microsoft has disabled the offending ASR rule and has asked customers to check SI MO497128 in the admin center for more updates.

In the latest admin center update, Microsoft said the reverted ASR rule needs several hours to propagate to all affected customers and advised placing it in Audit mode or entirely disabling it.

“We reverted the offending ASR rule, however, this change is propagating throughout the environment and could take several hours to complete,” Microsoft said.

“We recommend that you take action to place the offending ASR rule into Audit Mode and prevent further impact until the update has completed deployment.”

You can put the ASR rule to Audit Mode using one of the following methods:

  • Using Powershell: Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions AuditMode
  • Using Intune
  • Using Group Policy

The fourth option is to set the rule to disabled mode using the following Powershell command:

Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions Disabled

Until the issue is completely fixed and all deleted shortcuts can be restored, Microsoft advised customers to directly launch Office apps using the Office app or the Microsoft 365 app launcher.

System administrators have created PowerShell scripts [1, 2] that attempt to restore Microsoft Office and other application shortcuts to the Start Menu. However, these should be tested before being used in production.

Source: BleepingComputer