-
Attack surface reduction rule triggers a mess on Friday the 13
#Fridaythethirteenthmess
If you set up the Attack surface reduction rule to check Office macros, you have woken up to missing shortcuts. It appears to have been triggered after a defender update. Note this will only occur IF you have attack surface reduction rule enabled. On machines where this is not set, no issues will be seen using Defender. It is just those with ASR rules enabled.
The specific rule causing this is
Block Win32 API calls from Office macros
Rule-ID 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b
In Intune or group policy set the rule to audit if Microsoft hasn’t done it for you already. Now how to deal with the missing shortcuts?
Emin reports that “If you’ve volume shadow copy enabled, you can find these shorcuts in a VSS snapshot. I still use nowadays this code whenever I’ve to mount/dismount VSS snapshots. https://p0w3rsh3ll.wordpress.com/2014/06/21/mount-and-dismount-volume-shadow-copies/
Alternatively you can get the shortcuts from Onedrive if the Desktop synchronization was enabled.
Microsoft’s guidance here:
I’ll also note this on the Master Patch list – but it’s NOT exactly patch related side effect.