Getting Windows defender intelligence version to skip buggy ASR rule


zebal

zebal

Well-known member
Member
VIP
Local time
12:05 PM
Posts
574
Location
EU
OS
Windows 11 Pro 23H2
You surely recall the buggy ASR rule that deleted user's shortcuts?
techcommunity.microsoft.com

Recovering from Attack Surface Reduction rule shortcut deletions | Microsoft Community Hub

Guidance on how to recover from short-cut deletions including PowerShell script.
techcommunity.microsoft.com techcommunity.microsoft.com

The link above outlines this bug and also says this bug will trigger for intelligence builds between 1.381.2134.0 and 1.381.2163.0.
On January 13th, Windows Security and Microsoft Defender for Endpoint customers may have experienced a series of false positive detections for the Attack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro" after updating to security intelligence builds between 1.381.2134.0 and 1.381.2163.0.
Click to expand...

I need to programmatically determine if current computer is using the specified "intelligence builds" in PowerShell and if so then I skip enabling this ASR rule.
My problem is that it's unclear what is "intelligence build"?

To get current Windows Defender versions I can run:
Powershell: 
Get-MpComputerStatus | select AMProductVersion, AMEngineVersion, AntivirusSignatureVersion, AntispywareSignatureVersion | fl

learn.microsoft.com

Get-MpComputerStatus (Defender)

Use this topic to help manage Windows and Windows Server technologies with Windows PowerShell.
learn.microsoft.com

Example output:
Powershell: 
AMProductVersion            : 4.18.23100.2009
AMEngineVersion             : 1.1.23100.2009
AntivirusSignatureVersion   : 1.401.1324.0
AntispywareSignatureVersion : 1.401.1324.0

Which of those 4 numbers listed in the output above correspond to "intelligence build" that was affecting the ASR rule?
Perhaps it is some other property which I didn't include in the sample output.

Same data can be obtained in Windows Defender app in:
Open Windows Defender app -> click "settings" on the bottom left -> click "About" link
 

My Computer My Computer

At a glance

Windows 11 Pro 23H2Intel i3 8100 @3.6Ghz1 x 16GB DDR4 @2400 MHzNvidia GeForce GT 1030 2GB SDDR4
OS
Windows 11 Pro 23H2
Computer type
PC/Desktop
Manufacturer/Model
MSI / MS-7B29
CPU
Intel i3 8100 @3.6Ghz
Motherboard
H310M PRO-VDH (MS-7B29)
Memory
1 x 16GB DDR4 @2400 MHz
Graphics Card(s)
Nvidia GeForce GT 1030 2GB SDDR4
Sound Card
Realtek VEN_10EC&DEV_0887 / NVIDIA VEN_10DE&DEV_0081
Monitor(s) Displays
Acer V226HQL
Screen Resolution
1920 x 1080
Hard Drives
SSD 500 GB Crucial MX500 / HDD 1 TB TOSHIBA DT01ACA100
PSU
ATX, details unknown
Case
Everest 551B
Cooling
details unknown
Keyboard
Mechanical Gaming Hydra R7 - Rampage
Mouse
Logitech G703
Internet Speed
Down: 28Mbps / Up: 19Mbps
Browser
Microsoft Edge
Antivirus
Microsoft Defender Antivirus
Other Info
Bluetooth: TP Link 5.0 Nano USB adapter UB500
WLAN: D-Link 150 Pico USB adapter, N standard
Web camera: Logitech C270 HD 720p @30fps
Microphone: Trust MICO, model 23790
The latter 2 are the definition versions. You can see the the numbering sequence is the same.
 

My Computer My Computer

At a glance

Windows 11 Pro 25H2 26200.7840Intel Core i3-8145U16GB
OS
Windows 11 Pro 25H2 26200.7840
Computer type
Laptop
Manufacturer/Model
Lenovo IdeaPad L340
CPU
Intel Core i3-8145U
Memory
16GB
Hard Drives
500 GB M2 1 TB HDD
Internet Speed
400 MB
Browser
Chrome | Edge
Antivirus
Microsoft Defender | Block unknown executables | Various ASR rules enabled | Smart App Control
oldschool said:
The latter 2 are the definition versions. You can see the the numbering sequence is the same.
Click to expand...
And I only assume it is those versions which are referred to as "intelligence builds"

Problem however is that I'm not 100% sure and there is no guarantee both versions will always be the same unless there is some official statement they will be always the same.

Yeah, the pattern seems to favor these.
 

My Computer My Computer

At a glance

Windows 11 Pro 23H2Intel i3 8100 @3.6Ghz1 x 16GB DDR4 @2400 MHzNvidia GeForce GT 1030 2GB SDDR4
OS
Windows 11 Pro 23H2
Computer type
PC/Desktop
Manufacturer/Model
MSI / MS-7B29
CPU
Intel i3 8100 @3.6Ghz
Motherboard
H310M PRO-VDH (MS-7B29)
Memory
1 x 16GB DDR4 @2400 MHz
Graphics Card(s)
Nvidia GeForce GT 1030 2GB SDDR4
Sound Card
Realtek VEN_10EC&DEV_0887 / NVIDIA VEN_10DE&DEV_0081
Monitor(s) Displays
Acer V226HQL
Screen Resolution
1920 x 1080
Hard Drives
SSD 500 GB Crucial MX500 / HDD 1 TB TOSHIBA DT01ACA100
PSU
ATX, details unknown
Case
Everest 551B
Cooling
details unknown
Keyboard
Mechanical Gaming Hydra R7 - Rampage
Mouse
Logitech G703
Internet Speed
Down: 28Mbps / Up: 19Mbps
Browser
Microsoft Edge
Antivirus
Microsoft Defender Antivirus
Other Info
Bluetooth: TP Link 5.0 Nano USB adapter UB500
WLAN: D-Link 150 Pico USB adapter, N standard
Web camera: Logitech C270 HD 720p @30fps
Microphone: Trust MICO, model 23790
zebal said:
I only assume it is those versions which are referred to as "intelligence builds"
Click to expand...
Yes, but not exactly because this also includes Engine Version and Platform Version. For instance:
1701210889348.png
So Client Version is = Platform Version in Windows Security > About
https://www.microsoft.com/en-us/wdsi/defenderupdates

Did you experience the bug and lose shortcuts you linked in your OP?
 

My Computer My Computer

At a glance

Windows 11 Pro 25H2 26200.7840Intel Core i3-8145U16GB
OS
Windows 11 Pro 25H2 26200.7840
Computer type
Laptop
Manufacturer/Model
Lenovo IdeaPad L340
CPU
Intel Core i3-8145U
Memory
16GB
Hard Drives
500 GB M2 1 TB HDD
Internet Speed
400 MB
Browser
Chrome | Edge
Antivirus
Microsoft Defender | Block unknown executables | Various ASR rules enabled | Smart App Control
oldschool said:
Did you experience the bug and lose shortcuts you linked in your OP?
Click to expand...
Yes I did, had to reinstall Windows because was not fond of fixing it.

I'm maintaining a script that deploys this rule and I just want to handle the case if system is out of date and disable it.

I think it's safe to assume that AntispywareSignatureVersion and AntivirusSignatureVersion correspond to "intelligence builds" because number patterns match, this corresponds to Version from your screenshot.

Thanks for help!
 

My Computer My Computer

At a glance

Windows 11 Pro 23H2Intel i3 8100 @3.6Ghz1 x 16GB DDR4 @2400 MHzNvidia GeForce GT 1030 2GB SDDR4
OS
Windows 11 Pro 23H2
Computer type
PC/Desktop
Manufacturer/Model
MSI / MS-7B29
CPU
Intel i3 8100 @3.6Ghz
Motherboard
H310M PRO-VDH (MS-7B29)
Memory
1 x 16GB DDR4 @2400 MHz
Graphics Card(s)
Nvidia GeForce GT 1030 2GB SDDR4
Sound Card
Realtek VEN_10EC&DEV_0887 / NVIDIA VEN_10DE&DEV_0081
Monitor(s) Displays
Acer V226HQL
Screen Resolution
1920 x 1080
Hard Drives
SSD 500 GB Crucial MX500 / HDD 1 TB TOSHIBA DT01ACA100
PSU
ATX, details unknown
Case
Everest 551B
Cooling
details unknown
Keyboard
Mechanical Gaming Hydra R7 - Rampage
Mouse
Logitech G703
Internet Speed
Down: 28Mbps / Up: 19Mbps
Browser
Microsoft Edge
Antivirus
Microsoft Defender Antivirus
Other Info
Bluetooth: TP Link 5.0 Nano USB adapter UB500
WLAN: D-Link 150 Pico USB adapter, N standard
Web camera: Logitech C270 HD 720p @30fps
Microphone: Trust MICO, model 23790
You must log in or register to reply here.

Latest Support Threads

Latest Tutorials

Back
Top Bottom