Skip to Content
SecurityEndpoint ProtectionASR Rules

ASR Rules

Attack Surface Reduction (ASR) rules help prevent actions that malware often abuses to compromise devices. Configure and monitor ASR rules to block common attack techniques while minimizing impact on legitimate business applications.

Note: ASR rules are part of Microsoft Defender for Endpoint. Full functionality requires Defender for Endpoint Plan 2 or Microsoft 365 E5. Some rules work with Windows Defender Antivirus alone.

Rule Categories

Office Application Rules

Block malicious behaviors commonly exploited through Office documents, including macro execution, child process creation, and code injection.

Script Rules

Block obfuscated scripts and prevent JavaScript/VBScript from launching downloaded executables.

Email Rules

Block executable content from email clients and webmail, preventing malware delivery via email attachments.

Credential Protection

Block credential stealing from the Windows Local Security Authority Subsystem Service (LSASS) process.

Ransomware Protection

Use advanced protection against ransomware using cloud intelligence to identify and block ransomware behaviors.

Persistence Rules

Block persistence mechanisms like WMI event subscriptions that allow malware to survive reboots.

Available Rules

Office Rules

  • d4f940ab-401b-4efc-aadc-ad5f3c50688aBlock Office apps from creating executable content — Prevents Office from creating .exe, .dll, .scr files
  • 26190899-1602-49e8-8b27-eb1d0a1ce869Block Office apps from creating child processes — Prevents Office from launching cmd.exe, PowerShell, etc.
  • 3b576869-a4ec-4529-8536-b80a7769e899Block Office apps from injecting code — Prevents process injection into other processes
  • 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7bBlock Win32 API calls from Office macros — Prevents macros from using dangerous Win32 functions

Script Rules

  • 5beb7efe-fd9a-4556-801d-275e5ffc04ccBlock execution of potentially obfuscated scripts — Detects and blocks scripts that appear obfuscated
  • d3e037e1-3eb8-44c8-a917-57927947596dBlock JavaScript/VBScript from launching executables — Prevents web scripts from downloading and running malware

Process Rules

  • 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2Block credential stealing from LSASS — Prevents tools like Mimikatz from dumping credentials
  • b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4Block untrusted/unsigned processes from USB — Prevents execution of untrusted code from removable media
  • 01443614-cd74-433a-b99e-2ecdc07bfc25Block executable files unless they meet criteria — Requires age, prevalence, or trusted list status

Ransomware and Persistence

  • c1db55ab-c21a-4637-bb3f-a12568109d35Use advanced ransomware protection — Cloud-based detection of ransomware behaviors
  • e6db77e5-3df2-4cf1-b95a-636979351e5bBlock persistence through WMI subscription — Prevents malware from using WMI for persistence

Rule Modes

  • Not Configured — Rule is disabled. No blocking or auditing occurs. Use during initial deployment before testing.
  • Audit — Rule triggers would be logged but not blocked. Use to assess impact before enforcing. Review events in Defender portal.
  • Block — Rule actively blocks the behavior. Use after validating in audit mode. User sees notification when blocked.

Deployment Workflow

  1. Enable in Audit Mode — Deploy rules in audit mode to all devices or a pilot group. Let run for 2-4 weeks to gather data.
  2. Review Audit Events — Analyze which rules triggered and on what applications. Identify false positives that need exclusions.
  3. Configure Exclusions — Add file or folder exclusions for legitimate business applications that trigger rules.
  4. Enable Block Mode — Switch validated rules to block mode. Start with low-risk rules, then progressively enable higher-impact rules.
  5. Monitor and Adjust — Continuously monitor block events. Add exclusions as needed for new applications.

Exclusions

File Exclusions

Exclude specific file paths from ASR rules. Use full paths or wildcards. Example: C:\Program Files\App\*.exe

Folder Exclusions

Exclude entire folders. All files in the folder bypass ASR checks. Example: C:\Program Files\TrustedApp\

Per-Rule Exclusions

Configure exclusions that apply only to specific rules. More precise than global exclusions.

Warning: Minimize Exclusions: Each exclusion reduces protection. Only exclude paths necessary for business operations.

Monitoring and Reporting

Rule Status Dashboard

  • Current mode per rule (Off/Audit/Block)
  • Devices with rule configured
  • Configuration conflicts

Event Monitoring

  • Audit events by rule
  • Block events by rule
  • Top triggered applications

Device Compliance

  • Devices with ASR configured
  • Policy application errors
  • Rule enforcement status

Advanced Hunting

  • Query DeviceEvents for ASR telemetry
  • Correlate with other threat data
  • Build custom detection rules

Best Practices

  • Start with audit mode — Always deploy new rules in audit mode first to assess business impact.
  • Enable credential protection first — The LSASS protection rule has low false positive rate and high security value.
  • Use gradual rollout — Deploy to pilot group, then progressively expand to broader population.
  • Document exclusions — Keep records of why each exclusion was added and review periodically.

API Reference

  • GET /api/security/asr-rules — List ASR rule configurations
  • GET /api/security/asr-rules/events — Get ASR audit and block events
  • PUT /api/security/asr-rules/:ruleId — Update rule mode (audit/block/off)
  • GET /api/security/asr-rules/exclusions — List configured exclusions
  • POST /api/security/asr-rules/exclusions — Add new exclusion
Last updated on
Device SecurityDevice Isolation