{"id":7222,"date":"2023-08-16T03:00:47","date_gmt":"2023-08-16T03:00:47","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=7222"},"modified":"2024-06-25T06:19:34","modified_gmt":"2024-06-25T06:19:34","slug":"deploying-asr-rules-via-mde-attach-to-server-2016-is-not-a-supported-scenario","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/deploying-asr-rules-via-mde-attach-to-server-2016-is-not-a-supported-scenario","title":{"rendered":"Deploying ASR rules via MDE attach to server 2016 is not a supported scenario."},"content":{"rendered":"\n
\n

Thank you for your patience. After cross-team discussion within product engineers, they confirmed that deploying ASR rules via MDE attach to server 2016 is not a supported scenario.<\/p>\n\n\n\n

They will update the document to clarify this supportability. Apologize for the inconvenience caused.<\/p>\n\n\n\n

Please feel free to let me know if you have any further questions or concerns.<\/p>\n\n\n\n

<\/p>\n<\/blockquote>\n\n\n\n

Manually Fix<\/h2>\n\n\n\n
Add-MpPreference -AttackSurfaceReductionRules_Ids b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -AttackSurfaceReductionRules_Actions Enabled<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
Block abuse of exploited vulnerable signed drivers<\/td>56a863a9-875e-4185-98a7-b882c64b5ce5<\/td><\/tr>
Block Adobe Reader from creating child processes<\/td>7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c<\/td><\/tr>
Block all Office applications from creating child processes<\/td>d4f940ab-401b-4efc-aadc-ad5f3c50688a<\/td><\/tr>
Block credential stealing from the Windows local security authority subsystem (lsass.exe)<\/td>9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2<\/td><\/tr>
Block executable content from email client and webmail<\/td>be9ba2d9-53ea-4cdc-84e5-9b1eeee46550<\/td><\/tr>
Block executable files from running unless they meet a prevalence, age, or trusted list criterion<\/td>01443614-cd74-433a-b99e-2ecdc07bfc25<\/td><\/tr>
Block execution of potentially obfuscated scripts<\/td>5beb7efe-fd9a-4556-801d-275e5ffc04cc<\/td><\/tr>
Block JavaScript or VBScript from launching downloaded executable content<\/td>d3e037e1-3eb8-44c8-a917-57927947596d<\/td><\/tr>
Block Office applications from creating executable content<\/td>3b576869-a4ec-4529-8536-b80a7769e899<\/td><\/tr>
Block Office applications from injecting code into other processes<\/td>75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84<\/td><\/tr>
Block Office communication application from creating child processes<\/td>26190899-1602-49e8-8b27-eb1d0a1ce869<\/td><\/tr>
Block persistence through WMI event subscription
* File and folder exclusions not supported.<\/td>		e6db77e5-3df2-4cf1-b95a-636979351e5b<\/td><\/tr>
Block process creations originating from PSExec and WMI commands<\/td>d1e49aac-8f56-4280-b9ba-993a6d77406c<\/td><\/tr>
Block rebooting machine in Safe Mode (preview)<\/td>33ddedf1-c6e0-47cb-833e-de6133960387<\/td><\/tr>
Block untrusted and unsigned processes that run from USB<\/td>b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4<\/td><\/tr>
Block use of copied or impersonated system tools (preview)<\/td>c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb<\/td><\/tr>
Block Webshell creation for Servers<\/td>a8f5898e-1dc8-49a9-9878-85004b8a61e6<\/td><\/tr>
Block Win32 API calls from Office macros<\/td>92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b<\/td><\/tr>
Use advanced protection against ransomware<\/td>c1db55ab-c21a-4637-bb3f-a12568109d35<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
GPO<\/strong><\/h2>\n\n\n\n
\"\"<\/a><\/figure>\n","protected":false},"excerpt":{"rendered":"
Thank you for your patience. After cross-team discussion within product engineers, they confirmed that deploying ASR rules via MDE attach to server 2016 is not a supported […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1457,2243,4265],"class_list":["post-7222","post","type-post","status-publish","format-standard","hentry","category-research","tag-1457","tag-failed","tag-mde"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/7222","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=7222"}],"version-history":[{"count":2,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/7222\/revisions"}],"predecessor-version":[{"id":8046,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/7222\/revisions\/8046"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=7222"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=7222"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=7222"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}