Jump to content

Microsoft Exploit Guard has blocked an operation


mjohnsonn

Recommended Posts

The following warning appears in the Event log:

Log Name:  Microsoft-Windows-Windows Defender/Operational
Source:  Windows Defender
Event ID  1121

Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
 For more information please contact your IT administrator.
     ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
     Detection time: 2020-12-11T01:57:18.185Z
     User: XXXXXX-XXXXXX\xxxxxxxxxxx     

     Path: C:\Windows\System32\lsass.exe
     Process Name: C:\Program Files\CCleaner\CCleaner64.exe
     Security intelligence Version: 1.329.181.0
     Engine Version: 1.1.17700.4
     Product Version: 4.18.2011.6
 

My workstation is running

Windows 10 Pro 20H2_19042.685
CCleaner v5.75.8238
 

Defender for Endpoint has all Attack Surface Reduction rules enabled.  The GUID shown in the log entry corresponds to the ASR rule "Block credential stealing from the Windows security authority subsystem (lsass.exe)

What is causing the Exploit Guard to complain about the ASR rule and will this impact the operation of CCleaner or the OS?

Thanks

 

 

 

 

 

Edited by mjohnsonn
More info
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.