Recovery of Links Deleted by Defender ASR Update
On January 13th, Microsoft released an update for Microsoft Defender that incorporated a change to the Attack Surface Reduction (ASR) rule known as “Block Win32 API calls from Office macro” in Configuration Manager and “Win32 imports from Office macro code” in Intune. The rule detects and blocks malware from using VBA macros to call Win32 APIs. However, an unplanned inclusion in the Defender ASR update caused Microsoft Defender to exhibit a series of false positive detections. These detections resulted in the deletion of files matching the incorrect detection logic, primarily impacting Windows shortcut (.lnk) files, including shortcuts from the desktop, the Start menu, and the Windows Taskbar.
Impacted users
Microsoft has stated that all users who updated to security intelligence builds between 1.381.2134.0 and 1.381.2163.0 face potential impact.
However, Microsoft adds that there is no danger of impact for users who do not have the “Block Win32 API calls from Office macro” rule turned on in block mode or did not update to security intelligence update builds 1.381.2134.0, 1.381.2140.0, 1.381.2152 or 1.381.2163.0.
Steps for those affected
Impacted users will need both the updated security intelligence build and to run a secondary script to recover the start menu shortcuts.
Firstly, all users should update to build 1.381.2164.0 or later. Users employing automatic updates for Microsoft Defender do not need to take any additional steps, as the updated security intelligence build will be pushed out to them. However, enterprise customers managing updates must download and deploy the latest update across their environments. One important aspect of which to take note, the security intelligence build does not restore deleted files.
How to recover deleted shortcuts
Microsoft swiftly established the steps necessary for users to recreate start menu links for a substantial subset of the affected applications. Detailed instructions can be found here.
Microsoft also has provided additional guidelines for deploying the script using Microsoft Intune.
The latest updated script (Version 3.0) includes restores from Volume Shadow Copy Service by default, recovery of “.url” files in a user’s profile’s favorites and desktop directories, improvements for non-English language machines, as well as enhanced error handling. At this time, the script does not currently restore taskbar shortcuts, though Microsoft is continuing to work on a solution.
Manual recovery
Customers preferring to employ manual steps to resolve the issue may run the Application Repair functionality for programs such as Microsoft 365, Microsoft Edge, and Microsoft Visual Studio.
Instructions for Windows 10 and Windows 11 machines are as follows:
Windows 10:
- Start > Settings > Apps > Apps & features
- Select the app you want to fix
- Select Modify link under the name of the app if it is available
- A new page will launch and allow you to select the repair
Windows 11:
- Type “Installed Apps” in the search bar
- Click “Installed Apps”
- Select the app you want to fix
- Click on “…”
- Select Modify or Advanced Options if it is available
- A new page will launch and allow you to select the repair
OneNeck, We’ve Got Your Back
If you have any questions on how to update, recover deleted links or are unsure if your organization has been affected, we’re here to help. Talk to one of our skilled team members today.
Frequently asked questions…
What does the Microsoft Defender do?
Microsoft Defender is a unified endpoint security platform that provides advanced threat protection to devices running Windows, macOS, iOS, and Android. It includes a range of security technologies, such as antivirus, firewall, and intrusion prevention, and uses machine learning and behavioral analysis to detect and respond to threats in real-time.
What is ASR in Microsoft?
Attack Surface Reduction (ASR) is a set of features in Microsoft Defender for Endpoint that helps organizations reduce their attack surface by blocking common malware delivery techniques, such as email and web-based attacks. It uses advanced heuristics and machine learning to detect and block suspicious activity, reducing the risk of successful attacks and improving overall security posture.
What is ASR advanced protection against ransomware?
This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they’re trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they’re in a trusted list or exclusion list. You must enable cloud protection to use this rule.
Additional Resources: