Microsoft releases a script to restore a 'subset' of shortcuts deleted by rogue Defender ASR rule

Microsoft Defender on a laptop

Towards the end of last week, Microsoft confirmed an issue that stemmed from a flawed Microsoft Defender for Endpoint ASR rule that results in the deletion of app shortcuts from the Start menu, desktop and taskbar.

The company issued an update to prevent the problem from arising again, but said that there was no alternative but to manually recreate any shortcuts that had been lost. Now though Microsoft has released a PowerShell script that will automatically recreate some -- but not all -- deleted shortcuts. The company has also released a trio of advanced hunting queries (AHQs) to help with the issue.

See also:

Advertisement

Explaining the issue in a blog post, Microsoft's Scott Woodgate says: "On January 13th, Windows Security and Microsoft Defender for Endpoint customers may have experienced a series of false positive detections for the Attack Surface Reduction (ASR) rule 'Block Win32 API calls from Office macro' after updating to security intelligence builds between 1.381.2134.0 and 1.381.2163.0. These detections resulted in the deletion of files that matched the incorrect detection logic primarily impacting Windows shortcut (.lnk) files".

He goes on to reveal that Microsoft has now been able to create a script that will "recreate start menu links for a significant sub-set of the affected applications that were deleted". The PowerShell script is available to download here.

The blog post also includes manual instructions for Windows 10 and Windows 11 users:

Windows 10:

  1. Select Start  > Settings  > Apps > Apps & features
  2. Select the app you want to fix.
  3. Select Modify link under the name of the app if it is available.
  4. A new page will launch and allow you to select repair.

Windows 11:

  1. Type "Installed Apps" in the search bar.
  2. Click "Installed Apps".
  3. Select the app you want to fix.
  4. Click on "..."
  5. Select Modify or Advanced Options if it is available.
  6. A new page will launch and allow you to select repair.

Microsoft has also revealed details of advanced hunting queries (AHQs) which it says can be used to verify the impact of the problem.

The first AHQ can be used to retrieve all block events from devices with ASR rule "Block Win32 API calls from Office macro" enabled on "Block" mode.

A second AHQ can be used to retrieve all events from devices with ASR rule "Block Win32 API calls from Office macro" enabled on "block" and "audit" mode.

A third and final AHQ can retrieve the device count with this ASR rule "Block Win32 API calls from Office macro" enabled and if the number is exceeding 10K.

Image credit: monticello / depositphotos

© 1998-2023 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.