- Microsoft Defender’s security intelligence update build 1.381.2140.0 has caused problems with its “block Win32 API calls from Office macro” Attack Surface Reduction (ASR) rule.
- Attack Surface Reduction (ASR) rules are there to protect your devices from attacks that use macros, scripts, and common injection techniques.
- The issue has been resolved but users could not get their deleted shortcuts back without trying other methods, one of them being running a script recommended by Microsoft to get some of the shortcuts back.
Windows Defender is a Microsoft anti-malware tool that comes preinstalled in Windows 8.1, Windows 10, and Windows 11. Last Friday with the most recent update, Windows Defender started to remove shortcuts from Windows Taskbar and Start Menu, and occasionally, the linked program files were even removed from the disk. The reason for this was found out to be an ASR (Attack Surface Reduction) rule gone wrong, which are rules that are in place to protect your devices from attacks that use macros, scripts, and common injection techniques.
ASR rule gone wrong
The cause of Microsoft Defender going rogue appears to be an ASR rule that was altered by a recent Defender update. The “Block Win32 API calls from Office macro” with the latest signature update is the rule responsible for this incident as the rule prompted the system antimalware to delete the shortcuts as even uninstall the Office productivity suite entirely. The shortcut and file-killer update also affected many other programs, including Mozilla Firefox, Google Chrome, Slack, and others. Microsoft said:
« After installing security intelligence update build 1.381.2140.0 for Microsoft Defender, application shortcuts in the Start menu, pinned to the taskbar, and on the Desktop might be missing or deleted. Additionally, errors might be observed when trying to run executable (.exe) files which have dependencies on shortcut files. Affected devices have the Attack Surface Reduction (ASR) rule “Block Win32 API calls from Office macro” enabled. »
As a workaround, Microsoft recommends changing ASR rules to Audit Mode. This can be done through the following options:
- Using Intune: Enable attack surface reduction rules | Defender for Endpoint: Microsoft Endpoint Manager
- Using Group Policy: Enable attack surface reduction rules | Defender for Endpoint: Group Policy
The issue was resolved in security intelligence update build 1.381.2164.0. While the issue was resolved, users could not automatically get their shortcuts back. As a recommendation, Microsoft suggested recovering from Attack Surface Reduction rule shortcut deletions which restored some of the most popular software the ASR rule deleted.