Attack Surface Reduction rule wont let me uninstall a software

[agpt8]

This is a weird bug or behaviour. I am assuming that Attack Surface Reduction rule is not discriminating in the type of executable being run. But this software has been installed on my system for a long time now so I think this passes the presumed 'age' criteria (it should, right?), it should allow me to run that executable, even if it is an uninstall executable.

I usually use Revo Uninstaller for removing my programs as it would also help me clean out the remaining temp files and orphaned registry entries of the program. The rule blocked it from running the uninstaller. Then I tried explorer, got the same error. Tried with terminal as well, it didnt let me run it. Tried elevating by running as admin, same error. Even the system settings was prohibited from running it.

This is the error that I get:

This is what I see in Windows Security:

Recording.2024-03-03.192528.mp4

Is there any way to bypass this? or adjusting the rule somehow to mitigate this?

[HotCakeX]

Hi, the program might've been installed for a long time but it could've downloaded new components from the Internet or modified its own files. You can try Virus total to see more details about that file: https://www.virustotal.com/gui/home/upload

Here's how to add exclusion from all ASR rules for a file

Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<File path>"

Reference

[agpt8]

The only thing that the program did was to apply a firmware update for my secondary SSD. There was no change to the program itself. So the uninstaller should be have been allowed by the surface reduction rule.

I applied the exclusion. But then it flagged the temp uninstall files it created (as does majority of the programs as far as I can tell) in the temp directory and it flagged that as well. I had to exclude its entire directory as well for it to just uninstall itself.

I still think this was a weird behavior from the rule as it should not have prohibited system settings or elevated permissions run. And it allowed the software to be installed without any hiccup, blocking its uninstall is very unusual.

[HotCakeX]

Well the uninstall.exe only runs when you try to uninstall the software, it isn't executed during installation, it's just copied over to the installation directory.

[Harvester57]

Most of the time, installers are properly signed and deemed reputable by the Microsoft ISG, but not the uninstaller executables. Could you check that the EXE file at the path in the window title is signed by a know code signing CA ?

[agpt8]

Oh! Didnt know that. I checked this and the uninstaller wasnt signed. The main executable of the application was.

[HotCakeX]

Yes, I've seen the same thing in OBS's uninstall.exe, it's not signed and it can't even be Authenticode hashed because it has corrupt PE structure.

[agpt8]

Is there any way to get the file(s) as trusted in Microsoft ISG? I believe this is downloaded and used by many users as the products by crucial are fairly common and ISG is usually smart about this kind of softwares. Apologies if this is a stupid question.

[HotCakeX]

No, we can't directly modify the ISG, all we can do is to install it on other systems with telemetry on so they will generate enough reputation for it to be authorized by the ISG. You can also reach out to the developers of the software and ask them to sign their files. I've done this a few times before.

[agpt8]

Okay, thank you for your input and help with this! I'll close this.

[HotCakeX]

You're welcome!