itman 1,752 Posted February 4, 2020 Share Posted February 4, 2020 (edited) Finally if one insists on enabling macros in Office apps, I would strongly recommend that the following HIPS rule be created on all endpoint devices. This rule will block all script executables from being spawned from an Office app. Refer the the rule details given in this Eset KB article section. Note I duplicated the entire article section because there are "typo's" in the article: Quote III. Deny child processes from Office 2013/2016 processes In the HIPS rules window, click Add. Figure 3-1 Type “Deny child processes from Office 2013 processes” into the Rule name field. From the Action drop-down menu, select Block. Enable the following options: Applications Enabled Logging severity (warning) Notify user Click Next. Figure 3-2 In the Source applications window, click Add and type in the following file names, clicking OK and then Add after each one: C:\Program Files\Microsoft Office\Office15\WINWORD.EXE C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE C:\Program Files\Microsoft Office\Office15\EXCEL.EXE C:\Program Files\Microsoft Office\Office15\POWERPNT.EXE C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE C:\Program Files (x86)\Microsoft Office\Office15\POWERPNT.EXE Click Next. Figure 3-3 In the Application operations window, click the slider bar next to Start new application to enable it. Click Next. Figure 3-4 In the Applications window, click Add and type in the following file names, clicking OK and then Add after each one: C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\wscript.exe C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\cscript.exe C:\Windows\SysWOW64\cscript.exe C:\Windows\System32\ntvdm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe Add additional Office versions as needed, repeating the same instructions as above. 2016 = Office16 (C:\Program Files (x86)\Microsoft Office\Root\Office16\...) 2010 = Office14 Click Finish. Figure 3-5 https://support.eset.com/en/kb6119-configure-hips-rules-for-eset-business-products-to-protect-against-ransomware# Edited February 4, 2020 by itman Link to comment Share on other sites More sharing options...
ESET Moderators foneil 342 Posted February 4, 2020 ESET Moderators Share Posted February 4, 2020 8 hours ago, itman said: Finally if one insists on enabling macros in Office apps, I would strongly recommend that the following HIPS rule be created on all endpoint devices. This rule will block all script executables from being spawned from an Office app. Refer the the rule details given in this Eset KB article section. Note I duplicated the entire article section because there are "typo's" in the article: https://support.eset.com/en/kb6119-configure-hips-rules-for-eset-business-products-to-protect-against-ransomware# Thanks itman, there are some html errors in kb6119 that we'll fix. Link to comment Share on other sites More sharing options...
itman 1,752 Posted February 4, 2020 Share Posted February 4, 2020 54 minutes ago, foneil said: Thanks itman, there are some html errors in kb6119 that we'll fix. Actually, the html errors are not what I am referring to. A few of the noted "Application" processes are missing the leading character on the .exe prefix; e.g. C:\Windows\System32\tvdm.exe - should be C:\Windows\System32\ntvdm.exe C:\Windows\System32\egsvr32.exe - should be C:\Windows\System32\regsvr32.exe C:\Windows\SysWOW64\egsvr32.exe - should be C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\undll32.exe - should be C:\Windows\System32\rundll32.exe C:\Windows\SysWOW64\undll32.exe - should be C:\Windows\SysWOW64\rundll32.exe Check the entire article for references to the above. Link to comment Share on other sites More sharing options...
ESET Moderators foneil 342 Posted February 10, 2020 ESET Moderators Share Posted February 10, 2020 On 2/4/2020 at 3:45 PM, itman said: Actually, the html errors are not what I am referring to. A few of the noted "Application" processes are missing the leading character on the .exe prefix; e.g. C:\Windows\System32\tvdm.exe - should be C:\Windows\System32\ntvdm.exe C:\Windows\System32\egsvr32.exe - should be C:\Windows\System32\regsvr32.exe C:\Windows\SysWOW64\egsvr32.exe - should be C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\undll32.exe - should be C:\Windows\System32\rundll32.exe C:\Windows\SysWOW64\undll32.exe - should be C:\Windows\SysWOW64\rundll32.exe Check the entire article for references to the above. Thanks again, that KB has been fixed. Link to comment Share on other sites More sharing options...
Recommended Posts