Bloomberg and Defender Exclusions using Intune
Continuing from my previous post on 'Controlled Folder Access - Ransomware Protection, Exclusions, Trusted apps and much more..', I wanted to cover another application behavior involving Defender policies.
The application in question is Bloomberg Excel addin which is widely used across the industry. Formally known as Bloomberg API (Applications Program Interface), is a powerful tool that allows you to deliver Bloomberg data into MS Excel spreadsheet for analysis and calculations. In the absence of exclusions and with the all relevant Defender policies switched on, users would see similar errors as shown below.
As always, the best way to understand which all Defender policies are causing this, is to run the Advanced Hunting query to gather details on the device events. There are multiple ways in which a query can be formed, but since I want to know which policies are in question here, I am using a slightly generic query to get details on all possible ActionTypes causing the blocking of the files. Since I know the location of the files already, I am using FolderPath to filter out the events in the result.
Here are the snippets of the Output -
As suspected, it is the ASR rules that are causing the blocking of the files used within the Bloomberg Excel addin. To ensure the files don't get blocked, we will need to configure the exclusions against the ASR rules.
Note: The exclusions will affect both Controlled Folder Access and ASR. Therefore, you should only include relevant\absolute paths when dealing with exclusions. Since there are multiple files and folders involved in my case, I am excluding everything under C:\blp
Well there you have it. Just another example on how you can exclude applications and necessary files from Defender policies. There can be many such use cases and I am actually currently working on an interesting scenario that may a need additional steps to exclude an application, but more on that later.
Until next time..
Comments
Post a Comment