7.0 KiB
title, description, keywords, search.product, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.localizationpriority, author, ms.author, ms.date
| title | description | keywords | search.product | ms.pagetype | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | ms.localizationpriority | author | ms.author | ms.date |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Troubleshoot problems with Attack surface reduction rules | Check pre-requisites, use audit mode, add exclusions, or collect diagnostic data to help troubleshoot issues | troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking | eADQiWindows 10XVcnh | security | w10 | manage | library | security | medium | andreabichsel | v-anbic | 04/30/2018 |
Troubleshoot Attack surface reduction rules
Applies to:
- Windows 10, version 1709 or higher
Audience
- IT administrators
When you use Attack surface reduction rules you may encounter issues, such as:
- A rule blocks a file, process, or performs some other action that it should not (false positive)
- A rule does not work as described, or does not block a file or process that it should (false negative)
There are four steps to troubleshooting these problems:
- Confirm that you have met all pre-requisites
- Use audit mode to test the rule
- Add exclusions for the specified rule (for false positives)
- Submit support logs
Confirm pre-requisites
Attack surface reduction (ASR) will only work on devices with the following conditions:
[!div class="checklist"]
- Endpoints are running Windows 10 Enterprise edition, version 1709 (also known as the Fall Creators Update).
- Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. Using any other antivirus app will cause Windows Defender AV to disable itself.
- Real-time protection is enabled.
- Audit mode is not enabled. Use Group Policy to set the rule to Disabled (value: 0) as described in the Enable ASR topic.
If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode.
Use audit mode to test the rule
There are two ways that you can test if the rule is working.
You can use a pre-configured demo tool to confirm ASR is generally working on the device, or you can use audit mode, which enables the rule for reporting only.
The demo tool uses pre-configured scenarios and processes, which can be useful to first see if the ASR feature as a whole is operating correctly.
If you encounter problems when running the demo tool, check that the device you are testing the tool on meets the pre-requisites listed above.
You should follow the instructions in the section Use the demo tool to see how ASR works to test the specific rule you are encountering problems with.
Tip
While the instructions for using the demo tool are intended for evaluating or seeing how ASR works, you can use it to test that the rule works on known scenarios that we have already extensively tested before we released the feature.
Audit mode allows the rule to report as if it actually blocked the file or process, but will still allow the file to run.
- Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to Audit mode (value: 2) as described in the Enable ASR topic.
- Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed).
- Review the ASR event logs to see if the rule would have blocked the file or process if the rule had been set to Enabled.
Tip
Audit mode will stop the rule from blocking the file or process.
If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled.
Audit mode may have been enabled for testing another feature in Windows Defender Exploit Guard, or by an automated PowerShell script, and may not have been disabled after the tests were completed.
If you've tested the rule with the demo tool and with audit mode, and ASR is working on pre-configured scenarios, but the rule is not working as expected, proceed to either of the following sections based on your situation:
- If the ASR rule is blocking something that it should not block (also known as a false positive), you can first add an ASR exclusion.
- If the ASR rule is not blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, collecting diagnostic data and submitting the issue to us.
Add exclusions for a false positive
You can add exclusions to ASR to prevent ASR rules from evaluating the excluded files or folders.
This is useful if you have enabled a rule, and it is blocking a file, process, or action that you believe it should not block. You can then collect data from an endpoint where the rule is not working correctly and send that information to us.
To add an exclusion, see the Customize Attack surface reduction topic.
Important
You can specify individual files and folders to be excluded, but you cannot specify individual rules.
This means any files or folders that are excluded will be excluded from all ASR rules.
If you have followed all previous troubleshooting steps, and you still have a problem (in particular, if you have a false positive), you should proceed to the next step to collect diagnostic information and send it to us.
Collect diagnostic data
You can use the Windows Defender Security Intelligence web-based submission form to report a problem with ASR.
When you fill out the submission form, you will be asked to specify whether it is a false negative or false positive. If you have an E5 subscription for Windows Defender Advanced Threat Protection, you can also provide a link to the associated alert (if there is one).
You must also attach associated files in a .zip file (such as the file or executable that is not being blocked, or being incorrectly blocked) along with a diagnostic .cab file to your submission.
Follow the link below for instructions on how to collect the .cab file:
[!div class="nextstepaction"] Collect and submit diagnostic data Windows Defender Exploit Guard issues