We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
EUS:Win32/CustomEnterpriseBlockOnly!cl
Aliases: No associated aliases
Summary
EUS:Win32/CustomEnterpriseBlockOnly!cl is a unique detection type in an enterprise security environment, intended for security policy enforcement. It is a security signal within Microsoft Defender that is raised when a file matches a pre-defined block list of the organization based around Microsoft Defender Vulnerability Management. Compared to traditional malware signatures based on known malicious code/syntax patterns and can be invoked when those patterns are found when scanning files.
An EUS:Win32/CustomEnterpriseBlockOnly!cl detection signals to the IT security teams that they have implemented a proactive block against specific application versions that were considered valid security risks to their enterprise environment. The detection highlights the risk of software that has known vulnerabilities that could be abused by threat actors within their environment.
When an EUS:Win32/CustomEnterpriseBlockOnly!cl detection is triggered, it indicates that the organization’s security team is blocking software under an organizational policy for running outdated applications. The detection highlights that the organization’s security team has configured policies to prevent the running of the vulnerable version of the software determined to present unacceptable risk to the enterprise. The block does not mean that a compromise has occurred; it means that it has enforced an isolation method to remediate vulnerability. Regardless of the detection, everyone should update a version of the app to an approved secure version. It is not prudent to restore a file that was quarantined, as the action would revert to the security standard as well as the restoration of the vulnerability.
Different sources could trigger this detection: custom indicators, EDR block mode (live response, AutoIR) to name a few.
Refer to Microsoft Defender Vulnerability Management's documentation on block vulnerable applications capability for details.
- Identify the blocked apps by checking out the "Protection history" section in the Windows Security app or the detailed alert in the Microsoft Defender portal. The alert will specify the exact file and software component that was quarantined.
- Update the vulnerable app to the latest version. This is the primary and definitive solution. Download the most recent release straight from the official software vendor and perform a complete reinstallation to resolve the security vulnerability that triggered the block.
- Run a temporary restoration only if critically necessary by using an elevated Command Prompt. Run the command: "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Restore -Name EUS:Win32/CustomEnterpriseBlock -All. Be aware this is a stopgap measure, as the active security policy will quarantine the file again.
- Escalate persistent issues or suspected false positives to your IT security team. They can investigate the custom indicator causing the block, submit the file analysis, and create a permanent "Allow" indicator for verified safe versions of the binary.
- Understanding that continuous user and administrator education on this structured process is essential for managing these detections while upholding the organization's overall vulnerability management strategy.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
