ASR rules: Event IDs 1121 and 1122 occur with lsass.exe and block the operation

Last modified by Steffi F on 2025/10/08 10:08

Initial Situation

Restarting the agent service may trigger threats or warnings with event IDs 1121 and 1122 on the agent.

These events occur because the ASR rule "Block theft of Windows local security authority credentials" is active in Defender Management. This rule prevents untrusted processes from accessing the LSASS memory directly. If a process attempts to access LSASS using the OpenProcess() function with PROCESS_VM_READ permissions, the ASR rule blocks this access.

To disable blocking of access rights, proceed as follows:

Select configuration profile

1. In Defender Management, navigate to the configuration profile to which the exclusion is to be added.

2. Click Edit in the ribbon bar.

Add the file or folder to the exclusion

3. Under the Settings tab, navigate to Attack Surface Reduction > ASR Rules Exceptions.

4. Enable the "Exclude files and paths from ASR rules" checkbox.

5. Add the following file or folder.

FileFolder

%PROGRAMFILES(x86)%\ACMPClient\ACMPClientService.exe

or

%SYSTEMDRIVE%\ACMPClient\ACMPClientService.exe

%PROGRAMFILES(x86)%\ACMPClient

or

%SYSTEMDRIVE%\ACMPClient

Hinweis  Note:  

If you only enter the name “ACMPClientService.exe” without the complete path, the blocking will not be deactivated!

ASR-Regeln_eng.png

Example of the excluded folder path

6. Click Save.
The excluded file or folder will now no longer allow the ASR rule to be blocked.

© Aagon GmbH 2025
Besuchen Sie unsere Aagon-Community