Microsoft Defender Risky Action Blocked: MacriumService.exe accessing LSASS triggers ASR rule


Microsoft Defender Risky Action Blocked: MacriumService.exe accessing...
Author
Message
mjohnsonn
mjohnsonn
New Member
New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)
Group: Forum Members
Posts: 3, Visits: 4
I'm running Microsoft Defender with Attack Surface Reduction (ASR) rules on. After upgrading to Reflect Version 7.3.5550, the Defender protection history shows a blocked action several times a minute:

Risky Action Blocked
App or process blocked: MacriumSevice.exe
Blocked by: Attack surface reduction
Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Affected items: C:\Windows\System32\lsass.exe

Event log shows this:

Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
    ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
    Detection time: 2021-01-19T15:08:42.260Z
    User: NT AUTHORITY\SYSTEM
    Path: C:\Windows\System32\lsass.exe
    Process Name: C:\Program Files\Macrium\Common\MacriumService.exe
    Security intelligence Version: 1.329.2479.0
    Engine Version: 1.1.17700.4
    Product Version: 4.18.2011.6

The Microsoft docs mention that the rule is known to be a bit "noisy" and if the code merely enumerates all processes the rule might fire, but is there some reason that Reflect must fire that ASR rule?

The only options I see to make the history not fill up are to turn that particular rule off for everything or turn all the rules off for MacriumService.exe.

Running Windows 10 Pro for Workstations 20H2 19042.746

Thanks

Nick
Nick
Macrium Representative
Macrium Representative (5.4K reputation)Macrium Representative (5.4K reputation)Macrium Representative (5.4K reputation)Macrium Representative (5.4K reputation)Macrium Representative (5.4K reputation)Macrium Representative (5.4K reputation)Macrium Representative (5.4K reputation)Macrium Representative (5.4K reputation)Macrium Representative (5.4K reputation)Macrium Representative (5.4K reputation)
Group: Administrators
Posts: 3.2K, Visits: 22K
mjohnsonn - 20 January 2021 6:00 AM
I'm running Microsoft Defender with Attack Surface Reduction (ASR) rules on. After upgrading to Reflect Version 7.3.5550, the Defender protection history shows a blocked action several times a minute:

Risky Action Blocked
App or process blocked: MacriumSevice.exe
Blocked by: Attack surface reduction
Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Affected items: C:\Windows\System32\lsass.exe

Event log shows this:

Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
    ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
    Detection time: 2021-01-19T15:08:42.260Z
    User: NT AUTHORITY\SYSTEM
    Path: C:\Windows\System32\lsass.exe
    Process Name: C:\Program Files\Macrium\Common\MacriumService.exe
    Security intelligence Version: 1.329.2479.0
    Engine Version: 1.1.17700.4
    Product Version: 4.18.2011.6

The Microsoft docs mention that the rule is known to be a bit "noisy" and if the code merely enumerates all processes the rule might fire, but is there some reason that Reflect must fire that ASR rule?

The only options I see to make the history not fill up are to turn that particular rule off for everything or turn all the rules off for MacriumService.exe.

Running Windows 10 Pro for Workstations 20H2 19042.746

Thanks

Thanks for the heads up. MacriumService uses legitimate calls involving lsass when launching scheduled backups from the service. We'll have a dig to see if it's at all possible to avoid the trigger.

Kind Regards

Nick

Macrium Support

Next Webinar

See our reviews on

Trustpilot Logo
Trustpilot Stars


mjohnsonn
mjohnsonn
New Member
New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)
Group: Forum Members
Posts: 3, Visits: 4
Nick - 20 January 2021 1:56 PM
mjohnsonn - 20 January 2021 6:00 AM
I'm running Microsoft Defender with Attack Surface Reduction (ASR) rules on. After upgrading to Reflect Version 7.3.5550, the Defender protection history shows a blocked action several times a minute:

Risky Action Blocked
App or process blocked: MacriumSevice.exe
Blocked by: Attack surface reduction
Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Affected items: C:\Windows\System32\lsass.exe

Event log shows this:

Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
    ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
    Detection time: 2021-01-19T15:08:42.260Z
    User: NT AUTHORITY\SYSTEM
    Path: C:\Windows\System32\lsass.exe
    Process Name: C:\Program Files\Macrium\Common\MacriumService.exe
    Security intelligence Version: 1.329.2479.0
    Engine Version: 1.1.17700.4
    Product Version: 4.18.2011.6

The Microsoft docs mention that the rule is known to be a bit "noisy" and if the code merely enumerates all processes the rule might fire, but is there some reason that Reflect must fire that ASR rule?

The only options I see to make the history not fill up are to turn that particular rule off for everything or turn all the rules off for MacriumService.exe.

Running Windows 10 Pro for Workstations 20H2 19042.746

Thanks

Thanks for the heads up. MacriumService uses legitimate calls involving lsass when launching scheduled backups from the service. We'll have a dig to see if it's at all possible to avoid the trigger.

Thanks Nick.  I should have included that the seemingly obvious user solution of clicking "Allow" in the Defender protection history does not work. The "Allow" option disappears after the first use and the history list grows by several entries per minute--making it difficult to see other important entries that might occur.
PhilInWA
PhilInWA
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)
Group: Forum Members
Posts: 2, Visits: 10
Nick - 20 January 2021 1:56 PM
mjohnsonn - 20 January 2021 6:00 AM
I'm running Microsoft Defender with Attack Surface Reduction (ASR) rules on. After upgrading to Reflect Version 7.3.5550, the Defender protection history shows a blocked action several times a minute:

Risky Action Blocked
App or process blocked: MacriumSevice.exe
Blocked by: Attack surface reduction
Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Affected items: C:\Windows\System32\lsass.exe

Event log shows this:

Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
    ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
    Detection time: 2021-01-19T15:08:42.260Z
    User: NT AUTHORITY\SYSTEM
    Path: C:\Windows\System32\lsass.exe
    Process Name: C:\Program Files\Macrium\Common\MacriumService.exe
    Security intelligence Version: 1.329.2479.0
    Engine Version: 1.1.17700.4
    Product Version: 4.18.2011.6

The Microsoft docs mention that the rule is known to be a bit "noisy" and if the code merely enumerates all processes the rule might fire, but is there some reason that Reflect must fire that ASR rule?

The only options I see to make the history not fill up are to turn that particular rule off for everything or turn all the rules off for MacriumService.exe.

Running Windows 10 Pro for Workstations 20H2 19042.746

Thanks

Thanks for the heads up. MacriumService uses legitimate calls involving lsass when launching scheduled backups from the service. We'll have a dig to see if it's at all possible to avoid the trigger.

This is again occurring in Win 11 build 22000.739, Macrium 8.0.6635. Fixed in Win 10 (I am running machines in both environments with licenses).
Joe Allen
Joe Allen
Macrium Representative
Macrium Representative (460 reputation)Macrium Representative (460 reputation)Macrium Representative (460 reputation)Macrium Representative (460 reputation)Macrium Representative (460 reputation)Macrium Representative (460 reputation)Macrium Representative (460 reputation)Macrium Representative (460 reputation)Macrium Representative (460 reputation)Macrium Representative (460 reputation)
Group: Macrium Moderators
Posts: 204, Visits: 2.6K
Hello @mjohnsonn

We are looking into this issue now, Are there any steps you could provide to help us replicate this issue?



Kind Regards

Joe A

Next Webinar

See our reviews on

Trustpilot Logo
Trustpilot Stars


cyanide
cyanide
Talented Member
Talented Member (123 reputation)Talented Member (123 reputation)Talented Member (123 reputation)Talented Member (123 reputation)Talented Member (123 reputation)Talented Member (123 reputation)Talented Member (123 reputation)Talented Member (123 reputation)Talented Member (123 reputation)Talented Member (123 reputation)
Group: Forum Members
Posts: 68, Visits: 14K
Joe Allen - 24 June 2022 7:55 AM
Hello @mjohnsonn

We are looking into this issue now, Are there any steps you could provide to help us replicate this issue?

just to add have also seen these logged events when ASR rule to block credential stealing is enabled. but I dont really care as reflect still works.

step1 - enable the blocking of credential stealing in micorosft defender ASR rules using powershell/reg or 3rd party util

step 2 check logs
e.g Event 46 ID: 1121 - 6/12/2022 8:42:14 PM
Message: Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
    ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
    Detection time: 2022-06-12T19:42:14.905Z
    User: NT AUTHORITY\SYSTEM
    Path: C:\Windows\System32\lsass.exe
    Process Name: C:\Program Files\Macrium\Common\MacriumService.exe
    Target Commandline:
    Parent Commandline:
    Involved File:
    Inheritance Flags: 0x00000000
    Security intelligence Version: 1.367.1460.0
    Engine Version: 1.1.19200.6
    Product Version: 4.18.2203.5

Joe Allen
Joe Allen
Macrium Representative
Macrium Representative (460 reputation)Macrium Representative (460 reputation)Macrium Representative (460 reputation)Macrium Representative (460 reputation)Macrium Representative (460 reputation)Macrium Representative (460 reputation)Macrium Representative (460 reputation)Macrium Representative (460 reputation)Macrium Representative (460 reputation)Macrium Representative (460 reputation)
Group: Macrium Moderators
Posts: 204, Visits: 2.6K
cyanide - 24 June 2022 9:41 AM
Joe Allen - 24 June 2022 7:55 AM
Hello @mjohnsonn

We are looking into this issue now, Are there any steps you could provide to help us replicate this issue?

just to add have also seen these logged events when ASR rule to block credential stealing is enabled. but I dont really care as reflect still works.

step1 - enable the blocking of credential stealing in micorosft defender ASR rules using powershell/reg or 3rd party util

step 2 check logs
e.g Event 46 ID: 1121 - 6/12/2022 8:42:14 PM
Message: Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
    ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
    Detection time: 2022-06-12T19:42:14.905Z
    User: NT AUTHORITY\SYSTEM
    Path: C:\Windows\System32\lsass.exe
    Process Name: C:\Program Files\Macrium\Common\MacriumService.exe
    Target Commandline:
    Parent Commandline:
    Involved File:
    Inheritance Flags: 0x00000000
    Security intelligence Version: 1.367.1460.0
    Engine Version: 1.1.19200.6
    Product Version: 4.18.2203.5

@cyanide, Thank you for the extra information,

We are looking into this and are talking to the developers about this matter.

I will post an update shortly regarding this matter.

Kind Regards

Joe A

Next Webinar

See our reviews on

Trustpilot Logo
Trustpilot Stars


PhilInWA
PhilInWA
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)
Group: Forum Members
Posts: 2, Visits: 10
Joe Allen - 24 June 2022 9:51 AM
cyanide - 24 June 2022 9:41 AM
Joe Allen - 24 June 2022 7:55 AM
Hello @mjohnsonn

We are looking into this issue now, Are there any steps you could provide to help us replicate this issue?

just to add have also seen these logged events when ASR rule to block credential stealing is enabled. but I dont really care as reflect still works.

step1 - enable the blocking of credential stealing in micorosft defender ASR rules using powershell/reg or 3rd party util

step 2 check logs
e.g Event 46 ID: 1121 - 6/12/2022 8:42:14 PM
Message: Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
    ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
    Detection time: 2022-06-12T19:42:14.905Z
    User: NT AUTHORITY\SYSTEM
    Path: C:\Windows\System32\lsass.exe
    Process Name: C:\Program Files\Macrium\Common\MacriumService.exe
    Target Commandline:
    Parent Commandline:
    Involved File:
    Inheritance Flags: 0x00000000
    Security intelligence Version: 1.367.1460.0
    Engine Version: 1.1.19200.6
    Product Version: 4.18.2203.5

@cyanide, Thank you for the extra information,

We are looking into this and are talking to the developers about this matter.

I will post an update shortly regarding this matter.

This is still occurring in Win 11 Verson 22000.795 with Macrium 8.0.6867:


Balaji
Balaji
Macrium Representative
Macrium Representative (386 reputation)Macrium Representative (386 reputation)Macrium Representative (386 reputation)Macrium Representative (386 reputation)Macrium Representative (386 reputation)Macrium Representative (386 reputation)Macrium Representative (386 reputation)Macrium Representative (386 reputation)Macrium Representative (386 reputation)Macrium Representative (386 reputation)
Group: Macrium Moderators
Posts: 145, Visits: 3.4K
Hi @mjohnsonn @cyanide @PhilInWA

Thank you for the post. We are working on a fix and it will be included in the next update.

Kind regards
Bala

Kind Regards

Balaji

Macrium Development

Next Webinar

See our reviews on

Trustpilot Logo
Trustpilot Stars


GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Reading This Topic

Login

Explore
Messages
Mentions
Search