[German]Yesterday, Friday, January 13, 2023, Microsoft pretty much knocked out parts of its Windows user base by rolling out a buggy Defender signature via update. With ASR enabled, shortcuts were detected as malicious in Windows and deleted from the desktop, Start menu or Windows taskbar. Now Microsoft has confirmed the problem and revealed some details.
Review: ASR runs amok
I had picked it up promptly yesterday, virtually on the "living heart" and as a work in progress in the blog post Microsoft Defender update/ASR deletes desktop shortcuts, taskbar broken, Office apps don't start anymore. At first, users noticed that suddenly shortcuts were deleted from the Windows desktop, Start menu or taskbar. Other users reported that Office applications could no longer be launched.
Even as I was writing this post, it appeared that the ASR (Attac Surface Restriction) feature of Windows Defender for Endpoit, or signature update 1.381.2140.0, was responsible for this behavior. This caused the ASR rule "Block Win32 API calls from Office macros" in Configuration Manager or "Win32 imports from Office macro code" to delete the shortcuts and prevent applications from starting. There were hints of workarounds in the above post.
Microsoft confirms problem
I just found out on Twitter that Microsoft has now confirmed and rehashed yesterday's incident in the Windows Health dashboard in the post Application shortcuts might not work from the Start menu or other locations.
Microsoft says that after installing the Security Intelligence Update Build 1.381.2140.0 for Microsoft Defender, shortcuts to applications may be missing or deleted from the Start menu, taskbar and desktop of Windows. In addition, errors may occur when launching executable files (.exe) if they depend on shortcut files.
Microsoft confirms also yesterday's speculation that the ASR rule "Block Win32 API calls from Office macro" is enabled on the affected devices.
Attack Surface Reduction (ASR) is a feature of Windows to reduce the attack surface by introducing rules to monitor it. This blog post explains the approach of using ASR rules quite well.
From Microsoft there is this support post about the ASR rules. There they write that these ASR rules apply to Microsoft Defender Antivirus, Microsoft 365 Defender and Microsoft Defender for Endpoint Plan 2.
The rolled out Defender signature update led to the deletion of certain Windows shortcut files (.lnk) after the installation of build 1.381.2140.0, which corresponded to an incorrect detection pattern. The following Windows 10/11 clients were affected by this mishap:
- Windows 11 21H2 and 22H2;
- Windows 10 20H2 till 22H2
- Windows 10 Enterprise LTSC 2019
- Windows 10 Enterprise LTSC 2016
- Windows 10 Enterprise 2015 LTSB
Microsoft says that Windows devices used by private users at home or in small offices are probably not affected by this problem. However, I have received isolated reports that private computers were also affected (possibly if ASR was enabled via PowerShell or Group Policy under Windows 10/11).
As soon as Microsoft was informed about the problem and the cause was known, they gave the tip to put the ASR rules in Microsoft Defender into audit mode (I suggested this in the article). Then Defender will no longer delete the shortcuts via the ASR rules. PowerShell, Intune or group policies could be used to switch.
Later, Microsoft rolled out the Security Intelligence Update Build 1.381.2164.0 for Defender. Installing the Security Intelligence Update Build 1.381.2164.0 or higher should prevent the issue, but does not restore previously deleted shortcuts.
Microsoft says: You have to recreate or restore these shortcuts using other methods. In the post Microsoft Defender update/ASR deletes desktop shortcuts, taskbar broken, Office apps don't start anymore I had outlined some approaches on how to restore the shortcuts if necessary. In addition, a German user came forward who pointed out that the shortcuts were synchronized with OneDrive via Know Folder and could be found there in the trash.
Microsoft employee Scott Woodgate has also published the blog post Recovering from Attack Surface Reduction rule shortcut deletions in the tech community. There he links to a script that should be able to recover Lnk files. And there are instructions on how to be able to repair applications. Whether it helps, I don't know.
Cookies helps to fund this blog: Cookie settings