Faulty Microsoft Defender ASR Rule Deletes Shortcuts on Windows

Microsoft acknowledged a faulty Microsoft Defender ASR (attack surface reduction) rule that triggered the removal of app shortcuts in various locations on affected devices.

When erroneously set off, the buggy rule would delete application shortcuts from the desktop, the taskbar and the Start menu. Sometimes it would break the link in shortcuts instead of removing them, rendering them useless.

Microsoft Defender’s ASR rule is a valuable tool designed to prevent malicious code from calling Win32 APIs through VBA macros.

“Office VBA enables Win32 API calls,” Microsoft explains. “Malware can abuse this capability, such as calling Win32 APIs to launch malicious shellcode without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.”

A faulty signature update in Defender prompted the rule to mistakenly tag legitimate app shortcuts as malicious and act against them, either removing them or severing their link.

Several Windows admins reported that the ASR rule acts indiscriminately against both Microsoft and third-party app shortcuts, including Outlook, Slack, Chrome and Firefox.

After learning about the issue, Microsoft disabled the malfunctioning rule, stating that the change would probably need several hours to take effect.

“We've identified that a specific rule was resulting in impact,” reads Microsoft’s update. “We've reverted the rule to prevent further impact whilst we investigate further. For more information, please follow the SI MO497128 in your admin center. The revert is in progress and may take several hours to complete. We recommend placing the offending ASR rule into Audit Mode to prevent further impact until the deployment has completed.”

Although the issue has been fixed, the company says that shortcuts affected by the flawed ASR rule will not be automatically restored. Users will have to repair or recreate them manually or “through other methods.”