aztfexport.exe blocked by ASR rules

[AaronHorn]

I've just installed aztfexport using go install github.com/Azure/aztfexport@latest

When I try to run the binary, it is being blocked by Microsoft Defender's Attack Surface Reduction (ASR) rules.

In event log:

Log Name:      Microsoft-Windows-Windows Defender/Operational
Source:        Microsoft-Windows-Windows Defender
Date:          16/12/2023 12:57:59
Event ID:      1121
Task Category: None
Level:         Warning
Keywords:      
User:          SYSTEM
Computer:      <REDACTED>
Description:
Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
 For more information please contact your IT administrator.
    ID: 01443614-CD74-433A-B99E-2ECDC07BFC25
    Detection time: 2023-12-16T12:57:59.495Z
    User: <REDACTED>\<REDACTED>
    Path: C:\Users\<REDACTED>\go\bin\AZTFEX~1.EXE
    Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Target Commandline: 
    Parent Commandline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Involved File: 
    Inheritance Flags: 0x00000000
    Security intelligence Version: 1.403.588.0
    Engine Version: 1.1.23110.2
    Product Version: 4.18.23110.3

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Windows Defender" Guid="{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}" />
    <EventID>1121</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2023-12-16T12:57:59.4956169Z" />
    <EventRecordID>11255</EventRecordID>
    <Correlation ActivityID="{<REDACTED>}" />
    <Execution ProcessID="4380" ThreadID="6368" />
    <Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
    <Computer><REDACTED></Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="Product Name">Microsoft Defender Antivirus</Data>
    <Data Name="Product Version">4.18.23110.3</Data>
    <Data Name="Unused">
    </Data>
    <Data Name="ID">01443614-CD74-433A-B99E-2ECDC07BFC25</Data>
    <Data Name="Detection Time">2023-12-16T12:57:59.495Z</Data>
    <Data Name="User"><REDACTED>\<REDACTED></Data>
    <Data Name="Path">C:\Users\<REDACTED>\go\bin\AZTFEX~1.EXE</Data>
    <Data Name="Process Name">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
    <Data Name="Security intelligence Version">1.403.588.0</Data>
    <Data Name="Engine Version">1.1.23110.2</Data>
    <Data Name="RuleType">ENT\ConsR</Data>
    <Data Name="Target Commandline">
    </Data>
    <Data Name="Parent Commandline">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
    <Data Name="Involved File">
    </Data>
    <Data Name="Inhertiance Flags">0x00000000</Data>
  </EventData>
</Event>

In Windows Security:

Defender log file: MPLog.log

The problem is because I have the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criterion" 01443614-cd74-433a-b99e-2ecdc07bfc25 (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) set.

Fix is

Set-MpPreference -AttackSurfaceReductionOnlyExclusions " C:\Users\<REDACTED>\go\bin\aztfexport.exe"
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Users\<REDACTED>\go\bin\AZTFEX~1.EXE"

But is there anything that can be done from the project side to prevent this happening?

[magodo]

@AaronHorn Can you try to install the tool via winget?

[AaronHorn]

@AaronHorn Can you try to install the tool via winget?

I tried this, it seems to work.

However the version Go installed also now seems to work, even with the ASR exclusions removed.