ASR Rule “Block Win32 API calls from Office macros” – False positives in Content.MSO / Temp Files
Hi all,
running into issues with the ASR rule “Block Win32 API calls from Office macros” and would love to hear your experiences.
In audit mode, I keep seeing hits on randomly named .tmp files (sometimes without any extension) in:
%LocalAppData%\Microsoft\Windows\INetCache\Content.MSO\
Since the filenames change every time, targeted exclusions aren’t really possible, and I’d rather not exclude the whole Content.MSO folder.
There’s a similar post here (https://www.asap-utilities.com/faq-questions-answers-detail.php?m=340&srsltid=AfmBOop9lqsHC16B9xMZNjuckbhuUet9QCaBmnzdn8DUPC934jMNLqdX) describing the same behavior – (we don’t use the utility mentioned there, the audit hits are most likely because of legitimate office macro files). But even when we exclude the original locations of the macro files, there are still many hits on the temp files. I‘m not sure if this will have an effect on the end-users if we switch to block mode instead of audit.
How do you handle this or have you observed the same behavior in your environment?
Thanks in advance!