RDM Free Edition 2022.3.30.0 64-bit triggers Microsoft Defender for Endpoint attack surface reduction (ASR)
RDM Free Edition 2022.3.30.0 64-bit triggers Microsoft Defender for Endpoint attack surface reduction (ASR)
Hi there,
I'm not sure whether this should be a bug report or a support post; please feel free to move it if needs be.
I'm running RDM Free Edition 2022.3.30.0 64-bit on Windows 11 Enterprise 22H2 build 22621.1105, with Windows Defender for Endpoint enabled.
Recently, the attack surface reduction (ASR) feature of Defender is being triggered and blocking a 'risky action' when RDM is opened, or the RDM window is put into the background or foreground.
The details reported by Defender are:
App or process blocked: RemoteDesktopManager.exe
Blocked by: Attack surface reduction
Rule: Block Win32 API calls from Office macro
Affected items: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\<randomstringoftext>.temp
This can be mitigated by adding the C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ directory to the ASR exclusion list, but this isn't ideal.
All Comments (3)
Hello,
Thank you for your report.
We will investigate this issue.
Regards
Mathieu Morrissette
Hi,
I found that the rule is triggered by the Remote Desktop Manager shortcut file. I think this is caused by a issue currently affecting Windows Defender.
There currently seems to be an issue with the latest Windows Defender definitions update (1.381.2140.0) that cause this rule to trigger with false positives.
https://www.itpro.co.uk/operating-systems/microsoft-windows/369867/windows-defender-update-deletes-start-menu-taskbar-desktop-shortcuts
Regards,
Mathieu Morrissette
Hi Mathieu,
Thank you for looking into this - we've forced an update of the Defender definitions and the ASR notifications have stopped. I must have just caught this as the definition update was pushed out!