I'm running Microsoft Defender with Attack Surface Reduction (ASR) rules on. After upgrading to Reflect Version 7.3.5550, the Defender protection history shows a blocked action several times a minute:

Risky Action Blocked
App or process blocked: MacriumSevice.exe
Blocked by: Attack surface reduction
Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Affected items: C:\Windows\System32\lsass.exe

Event log shows this:

Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
    ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
    Detection time: 2021-01-19T15:08:42.260Z
    User: NT AUTHORITY\SYSTEM
    Path: C:\Windows\System32\lsass.exe
    Process Name: C:\Program Files\Macrium\Common\MacriumService.exe
    Security intelligence Version: 1.329.2479.0
    Engine Version: 1.1.17700.4
    Product Version: 4.18.2011.6

The Microsoft docs mention that the rule is known to be a bit "noisy" and if the code merely enumerates all processes the rule might fire, but is there some reason that Reflect must fire that ASR rule?

The only options I see to make the history not fill up are to turn that particular rule off for everything or turn all the rules off for MacriumService.exe.

Running Windows 10 Pro for Workstations 20H2 19042.746

Thanks

+x

 

mjohnsonn - 20 January 2021 6:00 AM

I'm running Microsoft Defender with Attack Surface Reduction (ASR) rules on. After upgrading to Reflect Version 7.3.5550, the Defender protection history shows a blocked action several times a minute:

Risky Action Blocked
App or process blocked: MacriumSevice.exe
Blocked by: Attack surface reduction
Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Affected items: C:\Windows\System32\lsass.exe

Event log shows this:

Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
    ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
    Detection time: 2021-01-19T15:08:42.260Z
    User: NT AUTHORITY\SYSTEM
    Path: C:\Windows\System32\lsass.exe
    Process Name: C:\Program Files\Macrium\Common\MacriumService.exe
    Security intelligence Version: 1.329.2479.0
    Engine Version: 1.1.17700.4
    Product Version: 4.18.2011.6

The Microsoft docs mention that the rule is known to be a bit "noisy" and if the code merely enumerates all processes the rule might fire, but is there some reason that Reflect must fire that ASR rule?

The only options I see to make the history not fill up are to turn that particular rule off for everything or turn all the rules off for MacriumService.exe.

Running Windows 10 Pro for Workstations 20H2 19042.746

Thanks

Thanks for the heads up. MacriumService uses legitimate calls involving lsass when launching scheduled backups from the service. We'll have a dig to see if it's at all possible to avoid the trigger.

Kind Regards

Nick

Macrium Support

See our reviews on

+x

 

Nick - 20 January 2021 1:56 PM

+x

 

mjohnsonn - 20 January 2021 6:00 AM

I'm running Microsoft Defender with Attack Surface Reduction (ASR) rules on. After upgrading to Reflect Version 7.3.5550, the Defender protection history shows a blocked action several times a minute:

Risky Action Blocked
App or process blocked: MacriumSevice.exe
Blocked by: Attack surface reduction
Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Affected items: C:\Windows\System32\lsass.exe

Event log shows this:

Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
    ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
    Detection time: 2021-01-19T15:08:42.260Z
    User: NT AUTHORITY\SYSTEM
    Path: C:\Windows\System32\lsass.exe
    Process Name: C:\Program Files\Macrium\Common\MacriumService.exe
    Security intelligence Version: 1.329.2479.0
    Engine Version: 1.1.17700.4
    Product Version: 4.18.2011.6

The Microsoft docs mention that the rule is known to be a bit "noisy" and if the code merely enumerates all processes the rule might fire, but is there some reason that Reflect must fire that ASR rule?

The only options I see to make the history not fill up are to turn that particular rule off for everything or turn all the rules off for MacriumService.exe.

Running Windows 10 Pro for Workstations 20H2 19042.746

Thanks

Thanks for the heads up. MacriumService uses legitimate calls involving lsass when launching scheduled backups from the service. We'll have a dig to see if it's at all possible to avoid the trigger.

Thanks Nick.  I should have included that the seemingly obvious user solution of clicking "Allow" in the Defender protection history does not work. The "Allow" option disappears after the first use and the history list grows by several entries per minute--making it difficult to see other important entries that might occur.

+x

 

Nick - 20 January 2021 1:56 PM

+x

 

mjohnsonn - 20 January 2021 6:00 AM

I'm running Microsoft Defender with Attack Surface Reduction (ASR) rules on. After upgrading to Reflect Version 7.3.5550, the Defender protection history shows a blocked action several times a minute:

Risky Action Blocked
App or process blocked: MacriumSevice.exe
Blocked by: Attack surface reduction
Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Affected items: C:\Windows\System32\lsass.exe

Event log shows this:

Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
    ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
    Detection time: 2021-01-19T15:08:42.260Z
    User: NT AUTHORITY\SYSTEM
    Path: C:\Windows\System32\lsass.exe
    Process Name: C:\Program Files\Macrium\Common\MacriumService.exe
    Security intelligence Version: 1.329.2479.0
    Engine Version: 1.1.17700.4
    Product Version: 4.18.2011.6

The Microsoft docs mention that the rule is known to be a bit "noisy" and if the code merely enumerates all processes the rule might fire, but is there some reason that Reflect must fire that ASR rule?

The only options I see to make the history not fill up are to turn that particular rule off for everything or turn all the rules off for MacriumService.exe.

Running Windows 10 Pro for Workstations 20H2 19042.746

Thanks

Thanks for the heads up. MacriumService uses legitimate calls involving lsass when launching scheduled backups from the service. We'll have a dig to see if it's at all possible to avoid the trigger.

This is again occurring in Win 11 build 22000.739, Macrium 8.0.6635. Fixed in Win 10 (I am running machines in both environments with licenses).

Hello @mjohnsonn, 

We are looking into this issue now, Are there any steps you could provide to help us replicate this issue?

Kind Regards

Joe A

See our reviews on

+x

 

Joe Allen - 24 June 2022 7:55 AM

Hello @mjohnsonn, 

We are looking into this issue now, Are there any steps you could provide to help us replicate this issue?

just to add have also seen these logged events when ASR rule to block credential stealing is enabled. but I dont really care as reflect still works.

step1 - enable the blocking of credential stealing in micorosft defender ASR rules using powershell/reg or 3rd party util

step 2 check logs
e.g Event 46 ID: 1121 - 6/12/2022 8:42:14 PM
Message: Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
    ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
    Detection time: 2022-06-12T19:42:14.905Z
    User: NT AUTHORITY\SYSTEM
    Path: C:\Windows\System32\lsass.exe
    Process Name: C:\Program Files\Macrium\Common\MacriumService.exe
    Target Commandline:
    Parent Commandline:
    Involved File:
    Inheritance Flags: 0x00000000
    Security intelligence Version: 1.367.1460.0
    Engine Version: 1.1.19200.6
    Product Version: 4.18.2203.5

+x

 

cyanide - 24 June 2022 9:41 AM

+x

 

Joe Allen - 24 June 2022 7:55 AM

Hello @mjohnsonn, 

We are looking into this issue now, Are there any steps you could provide to help us replicate this issue?

just to add have also seen these logged events when ASR rule to block credential stealing is enabled. but I dont really care as reflect still works.

step1 - enable the blocking of credential stealing in micorosft defender ASR rules using powershell/reg or 3rd party util

step 2 check logs
e.g Event 46 ID: 1121 - 6/12/2022 8:42:14 PM
Message: Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
    ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
    Detection time: 2022-06-12T19:42:14.905Z
    User: NT AUTHORITY\SYSTEM
    Path: C:\Windows\System32\lsass.exe
    Process Name: C:\Program Files\Macrium\Common\MacriumService.exe
    Target Commandline:
    Parent Commandline:
    Involved File:
    Inheritance Flags: 0x00000000
    Security intelligence Version: 1.367.1460.0
    Engine Version: 1.1.19200.6
    Product Version: 4.18.2203.5

@cyanide, Thank you for the extra information,

We are looking into this and are talking to the developers about this matter.

I will post an update shortly regarding this matter.

Kind Regards

Joe A

See our reviews on

+x

 

Joe Allen - 24 June 2022 9:51 AM

+x

 

cyanide - 24 June 2022 9:41 AM

+x

 

Joe Allen - 24 June 2022 7:55 AM

Hello @mjohnsonn, 

We are looking into this issue now, Are there any steps you could provide to help us replicate this issue?

just to add have also seen these logged events when ASR rule to block credential stealing is enabled. but I dont really care as reflect still works.

step1 - enable the blocking of credential stealing in micorosft defender ASR rules using powershell/reg or 3rd party util

step 2 check logs
e.g Event 46 ID: 1121 - 6/12/2022 8:42:14 PM
Message: Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
    ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
    Detection time: 2022-06-12T19:42:14.905Z
    User: NT AUTHORITY\SYSTEM
    Path: C:\Windows\System32\lsass.exe
    Process Name: C:\Program Files\Macrium\Common\MacriumService.exe
    Target Commandline:
    Parent Commandline:
    Involved File:
    Inheritance Flags: 0x00000000
    Security intelligence Version: 1.367.1460.0
    Engine Version: 1.1.19200.6
    Product Version: 4.18.2203.5

@cyanide, Thank you for the extra information,

We are looking into this and are talking to the developers about this matter.

I will post an update shortly regarding this matter.

This is still occurring in Win 11 Verson 22000.795 with Macrium 8.0.6867:

Hi @mjohnsonn @cyanide @PhilInWA

Thank you for the post. We are working on a fix and it will be included in the next update.

Kind regards
Bala

Kind Regards

Balaji

Macrium Development

See our reviews on