/
Phase 2 Security Update – Defender ASR

Phase 2 Security Update – Defender ASR

 

What exactly is changing?

Rule (plain-English name)

What it stops

Typical attacker goal it breaks

Rule (plain-English name)

What it stops

Typical attacker goal it breaks

Block use of copied or impersonated system tools

Prevents any executable that looks like a core Windows tool (e.g., cmd.exe, powershell.exe, rundll32.exe) but is running from an unexpected folder from starting. Only the genuine copies in C:\Windows\System32 and other protected directories are allowed. Microsoft Learn

Attackers copy or rename trusted “living-off-the-land” binaries (LOLBins) into temp folders or network shares so they can run malicious commands while dodging antivirus and allow-listing. This rule cuts off that stealth tactic. Microsoft

 

 

 

 

 

 

 

 

 

 

 

 

How this helps you

  • Cuts off a common ransomware technique. Fake system tools can no longer run—even if the malware is brand-new.

  • Reduces zero-day risk. The rule looks at behavior (location + metadata), not just known virus signatures.

  • No action needed. The policy applies automatically through Intune.

When will I see this?

Date

What you may notice

Date

What you may notice

 

The rules run silently. ITS reviews logs but nothing is blocked yet.

 

If a macro or add-in tries something disallowed, Windows Security shows a pop-up

Could this affect my work?

Most people will not notice any change. Legitimate Windows utilities in their normal folders keep working.
Potential edge cases include:

  • Portable apps that bundle their own copy of powershell.exe

  • Installers that temporarily unpack regsvr32.exe in a temp folder

  • Scripting frameworks shipping a renamed cmd.exe

If you receive a block toast and a business-critical app stops working, follow the steps below.

What to do if you’re blocked

  1. Take a screenshot of the Windows Security notification (or note the rule name and time).

  2. Try again — sometimes the first launch of an add-in triggers a one-time block.

  3. Contact ITS with the details:

How to reach us

What to include

How to reach us

What to include

Ticket:https://kb.uconn.edu/portal/1?createRequest=true&portalId=1&requestTypeId=83

  • Rule name shown in the pop-up• File path of the blocked program (click Details in the toast)• Your NetID & computer name

Phone: 860-486-4357

Same info as above

Email: techsupport@uconn.edu

Attach the screenshot if possible


If the software is business-critical and passes a security check, we can create a per-rule exception so it works without lowering protection for everyone else.

Frequently Asked Questions

Question

Answer

Question

Answer