Getting Windows defender intelligence version to skip buggy ASR rule


zebal

zebal

Well-known member
Member
VIP
Local time
4:04 PM
Posts
574
Location
EU
OS
Windows 11 Pro 23H2
You surely recall the buggy ASR rule that deleted user's shortcuts?
techcommunity.microsoft.com

Recovering from Attack Surface Reduction rule shortcut deletions | Microsoft Community Hub

Guidance on how to recover from short-cut deletions including PowerShell script.
techcommunity.microsoft.com techcommunity.microsoft.com

The link above outlines this bug and also says this bug will trigger for intelligence builds between 1.381.2134.0 and 1.381.2163.0.
On January 13th, Windows Security and Microsoft Defender for Endpoint customers may have experienced a series of false positive detections for the Attack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro" after updating to security intelligence builds between 1.381.2134.0 and 1.381.2163.0.
Click to expand...

I need to programmatically determine if current computer is using the specified "intelligence builds" in PowerShell and if so then I skip enabling this ASR rule.
My problem is that it's unclear what is "intelligence build"?

To get current Windows Defender versions I can run:
Powershell: 
Get-MpComputerStatus | select AMProductVersion, AMEngineVersion, AntivirusSignatureVersion, AntispywareSignatureVersion | fl

learn.microsoft.com

Get-MpComputerStatus (Defender)

Use this topic to help manage Windows and Windows Server technologies with Windows PowerShell.
learn.microsoft.com

Example output:
Powershell: 
AMProductVersion            : 4.18.23100.2009
AMEngineVersion             : 1.1.23100.2009
AntivirusSignatureVersion   : 1.401.1324.0
AntispywareSignatureVersion : 1.401.1324.0

Which of those 4 numbers listed in the output above correspond to "intelligence build" that was affecting the ASR rule?
Perhaps it is some other property which I didn't include in the sample output.

Same data can be obtained in Windows Defender app in:
Open Windows Defender app -> click "settings" on the bottom left -> click "About" link
 

My Computer

System One

  • OS
    Windows 11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    MSI / MS-7B29
    CPU
    Intel i3 8100 @3.6Ghz
    Motherboard
    H310M PRO-VDH (MS-7B29)
    Memory
    1 x 16GB DDR4 @2400 MHz
    Graphics Card(s)
    Nvidia GeForce GT 1030 2GB SDDR4
    Sound Card
    Realtek VEN_10EC&DEV_0887 / NVIDIA VEN_10DE&DEV_0081
    Monitor(s) Displays
    Acer V226HQL
    Screen Resolution
    1920 x 1080
    Hard Drives
    SSD 500 GB Crucial MX500 / HDD 1 TB TOSHIBA DT01ACA100
    PSU
    ATX, details unknown
    Case
    Everest 551B
    Cooling
    details unknown
    Keyboard
    Mechanical Gaming Hydra R7 - Rampage
    Mouse
    Logitech G703
    Internet Speed
    Down: 28Mbps / Up: 19Mbps
    Browser
    Microsoft Edge
    Antivirus
    Microsoft Defender Antivirus
    Other Info
    Bluetooth: TP Link 5.0 Nano USB adapter UB500
    WLAN: D-Link 150 Pico USB adapter, N standard
    Web camera: Logitech C270 HD 720p @30fps
    Microphone: Trust MICO, model 23790
The latter 2 are the definition versions. You can see the the numbering sequence is the same.
 

My Computer

System One

  • OS
    Windows 11 Pro 23H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo IdeaPad L340
    CPU
    Intel Core i3-8145U
    Memory
    16GB
    Hard Drives
    500 GB M2 1 TB HDD
    Internet Speed
    400 MB
    Browser
    Chrome | Edge
    Antivirus
    Microsoft Defender | Block unknown executables | Various ASR rules enabled
oldschool said:
The latter 2 are the definition versions. You can see the the numbering sequence is the same.
Click to expand...
And I only assume it is those versions which are referred to as "intelligence builds"

Problem however is that I'm not 100% sure and there is no guarantee both versions will always be the same unless there is some official statement they will be always the same.

Yeah, the pattern seems to favor these.
 

My Computer

System One

  • OS
    Windows 11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    MSI / MS-7B29
    CPU
    Intel i3 8100 @3.6Ghz
    Motherboard
    H310M PRO-VDH (MS-7B29)
    Memory
    1 x 16GB DDR4 @2400 MHz
    Graphics Card(s)
    Nvidia GeForce GT 1030 2GB SDDR4
    Sound Card
    Realtek VEN_10EC&DEV_0887 / NVIDIA VEN_10DE&DEV_0081
    Monitor(s) Displays
    Acer V226HQL
    Screen Resolution
    1920 x 1080
    Hard Drives
    SSD 500 GB Crucial MX500 / HDD 1 TB TOSHIBA DT01ACA100
    PSU
    ATX, details unknown
    Case
    Everest 551B
    Cooling
    details unknown
    Keyboard
    Mechanical Gaming Hydra R7 - Rampage
    Mouse
    Logitech G703
    Internet Speed
    Down: 28Mbps / Up: 19Mbps
    Browser
    Microsoft Edge
    Antivirus
    Microsoft Defender Antivirus
    Other Info
    Bluetooth: TP Link 5.0 Nano USB adapter UB500
    WLAN: D-Link 150 Pico USB adapter, N standard
    Web camera: Logitech C270 HD 720p @30fps
    Microphone: Trust MICO, model 23790
zebal said:
I only assume it is those versions which are referred to as "intelligence builds"
Click to expand...
Yes, but not exactly because this also includes Engine Version and Platform Version. For instance:
1701210889348.png
So Client Version is = Platform Version in Windows Security > About
https://www.microsoft.com/en-us/wdsi/defenderupdates

Did you experience the bug and lose shortcuts you linked in your OP?
 

My Computer

System One

  • OS
    Windows 11 Pro 23H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo IdeaPad L340
    CPU
    Intel Core i3-8145U
    Memory
    16GB
    Hard Drives
    500 GB M2 1 TB HDD
    Internet Speed
    400 MB
    Browser
    Chrome | Edge
    Antivirus
    Microsoft Defender | Block unknown executables | Various ASR rules enabled
oldschool said:
Did you experience the bug and lose shortcuts you linked in your OP?
Click to expand...
Yes I did, had to reinstall Windows because was not fond of fixing it.

I'm maintaining a script that deploys this rule and I just want to handle the case if system is out of date and disable it.

I think it's safe to assume that AntispywareSignatureVersion and AntivirusSignatureVersion correspond to "intelligence builds" because number patterns match, this corresponds to Version from your screenshot.

Thanks for help!
 

My Computer

System One

  • OS
    Windows 11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    MSI / MS-7B29
    CPU
    Intel i3 8100 @3.6Ghz
    Motherboard
    H310M PRO-VDH (MS-7B29)
    Memory
    1 x 16GB DDR4 @2400 MHz
    Graphics Card(s)
    Nvidia GeForce GT 1030 2GB SDDR4
    Sound Card
    Realtek VEN_10EC&DEV_0887 / NVIDIA VEN_10DE&DEV_0081
    Monitor(s) Displays
    Acer V226HQL
    Screen Resolution
    1920 x 1080
    Hard Drives
    SSD 500 GB Crucial MX500 / HDD 1 TB TOSHIBA DT01ACA100
    PSU
    ATX, details unknown
    Case
    Everest 551B
    Cooling
    details unknown
    Keyboard
    Mechanical Gaming Hydra R7 - Rampage
    Mouse
    Logitech G703
    Internet Speed
    Down: 28Mbps / Up: 19Mbps
    Browser
    Microsoft Edge
    Antivirus
    Microsoft Defender Antivirus
    Other Info
    Bluetooth: TP Link 5.0 Nano USB adapter UB500
    WLAN: D-Link 150 Pico USB adapter, N standard
    Web camera: Logitech C270 HD 720p @30fps
    Microphone: Trust MICO, model 23790
You must log in or register to reply here.

Latest Support Threads

Latest Tutorials

Back
Top Bottom