Jump to content
it-admin-au

How to create a blacklist set of files

Recommended Posts

Hello,

We have just migrated from Mcafee EPO. We are using the latest version of ESET endpoint for windows.  We are told that we cannot create a policy that stops computers creating the following files from any process. We could with Mcafee EPO. Examples below.

Stop creating the file in any folder  EG..
myresume.exe
news.exe
DriverMagician.exe
driverupdate.exe
partypoker.exe
Payment order details.doc

Stop the folder being created EG..
C:\PROGRAM FILES\TIXAT

Even wildcards in any folder  EG..
*.tmp.tmp
*.lol!
*.toxcrypt

Wildcards in a specific set of users folders  EG..
%homepath%\AppData\Roaming\*.exe

Has anyone found a way?

Thanks in advance.

 

 

Share this post


Link to post
Share on other sites

HIPS currently doesn't support wildcards in file paths. By blocking a very few suspicious names that malware may use won't make your system safer given that in more than 99% of cases malware would use a different name than those above.

ESET protects you regardless of what file names malware use. Plus there is also lot of fileless malware that resides in the registry, WMI, UEFI. For a list of technologies that protect our users at various layers in the system, please read https://www.eset.com/int/about/technology/.

If you have a real use case that you try to resolve, please provide more details on it.

Share this post


Link to post
Share on other sites
Posted (edited)
13 hours ago, it-admin-au said:

Stop creating the file in any folder  EG..
myresume.exe
news.exe
DriverMagician.exe
driverupdate.exe
partypoker.exe

I use the registry debugger option for .exe's that can run from any directory. I set them to open as svchost.exe which immediately terminates:

Eset_Debugger.thumb.png.be22785a290dc7d82e4ed5d413de2e9e.png

13 hours ago, it-admin-au said:

Stop the folder being created EG..
C:\PROGRAM FILES\TIXAT 

Eset HIP rule to block any write activity to C:\PROGRAM FILES\TIXAT\*.* would prevent anything being created in the folder.

13 hours ago, it-admin-au said:

Wildcards in a specific set of users folders  EG..
%homepath%\AppData\Roaming\*.exe

Eset HIPS rule to block any application startup in %homepath%\AppData\Roaming\*.* would prevent any program startup in that or any sub-directories.

Also note this in regards to using variables in Eset HIPS rules:  https://forum.eset.com/topic/15740-environment-variables-for-hips-rules/?do=findComment&comment=77806

Edited by itman

Share this post


Link to post
Share on other sites

Thanks for the reply.

 

The idea of blocking filenames is not just for malware and virus-related purposes it also stops users from installing a pre-set of unwanted programs. Users with admin rights are forever installing programs by themselves (torrent related) or accidently due to software updates (drivermagician.exe etc).

Yes viruses change the executable name but we have also found that there are a lot that keep the same executable file name. These additions are an additional layer of protection.

The sysinternals suite seems a bit complex and time consuming to adapt. Possibly group policy may help.

The idea of blocking entire folders is valid and used carefully. EG C:\PROGRAM FILES\TIXATI\*.* will block users from installing the torrent client.

 %homepath%\AppData\Roaming\*.exe  - this is a recommended Mcafee insertion that we have used and never had any issues.

 

I still feel that there should be a mechanism to restrict users from running a set file name.

  

Thanks

Share this post


Link to post
Share on other sites
22 hours ago, it-admin-au said:

The sysinternals suite seems a bit complex and time consuming to adapt. Possibly group policy may help.

The Autoruns screen shot I posted just showed the current registry settings. These have to be added manually via Regedit or possible by Group Policy:

Eset_Registry.thumb.png.dcccca3457020da7a6bcd8df45f12dda.png

22 hours ago, it-admin-au said:

Users with admin rights are forever installing programs by themselves (torrent related) or accidently due to software updates (drivermagician.exe etc).

This type of activity should be restricted via Group Policy setting.

Share this post


Link to post
Share on other sites

I will have a look and see if the mods get around a few concerns

 

thks

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...