Jump to content

[Threat] VBA/TrojanDownloader.Agent.MUV

pronto

By pronto
in ESET Products for Windows Servers

 Share

Recommended Posts

itman

itman 1,659

Posted
Posted (edited)

Finally if one insists on enabling macros in Office apps, I would strongly recommend that the following HIPS rule be created on all endpoint devices. This rule will block all script executables from being spawned from an Office app.

Refer the the rule details given in this Eset KB article section. Note I duplicated the entire article section because there are "typo's" in the article:

Quote

III. Deny child processes from Office 2013/2016 processes

  1. In the HIPS rules window, click Add

KB6119Figure3-1.png

Figure 3-1

  1. Type “Deny child processes from Office 2013 processes” into the Rule name field.
     
  2. From the Action drop-down menu, select Block.

    Enable the following options:

    • Applications
    • Enabled
    • Logging severity (warning)
    • Notify user

Click Next

KB6119Figure3-2b.png

Figure 3-2

  1. In the Source applications window, click Add and type in the following file names, clicking OK and then Add after each one:
    • C:\Program Files\Microsoft Office\Office15\WINWORD.EXE
    • C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE
    • C:\Program Files\Microsoft Office\Office15\EXCEL.EXE
    • C:\Program Files\Microsoft Office\Office15\POWERPNT.EXE
    • C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE
    • C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE
    • C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE
    • C:\Program Files (x86)\Microsoft Office\Office15\POWERPNT.EXE

Click Next

KB6119Figure3-3B.png

Figure 3-3

  1. In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.

KB6119Figure3-4.png

Figure 3-4

  1. In the Applications window, click Add and type in the following file names, clicking OK and then Add after each one:
    • C:\Windows\System32\cmd.exe
    • C:\Windows\SysWOW64\cmd.exe
    • C:\Windows\System32\wscript.exe
    • C:\Windows\SysWOW64\wscript.exe
    • C:\Windows\System32\cscript.exe
    • C:\Windows\SysWOW64\cscript.exe
    • C:\Windows\System32\ntvdm.exe
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    • C:\Windows\System32\regsvr32.exe
    • C:\Windows\SysWOW64\regsvr32.exe
    • C:\Windows\System32\rundll32.exe
    • C:\Windows\SysWOW64\rundll32.exe

Add additional Office versions as needed, repeating the same instructions as above.

  • 2016 = Office16 (C:\Program Files (x86)\Microsoft Office\Root\Office16\...)
  • 2010 = Office14

Click Finish.

KB6119Figure3-5.png

Figure 3-5

 

https://support.eset.com/en/kb6119-configure-hips-rules-for-eset-business-products-to-protect-against-ransomware#

 

 

Edited by itman
Link to comment
Share on other sites
  • ESET Moderators
foneil

foneil 342

Posted
  • ESET Moderators
Posted
8 hours ago, itman said:

Finally if one insists on enabling macros in Office apps, I would strongly recommend that the following HIPS rule be created on all endpoint devices. This rule will block all script executables from being spawned from an Office app.

Refer the the rule details given in this Eset KB article section. Note I duplicated the entire article section because there are "typo's" in the article:

https://support.eset.com/en/kb6119-configure-hips-rules-for-eset-business-products-to-protect-against-ransomware#

 

 

Thanks itman, there are some html errors in kb6119 that we'll fix. 

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted
54 minutes ago, foneil said:

Thanks itman, there are some html errors in kb6119 that we'll fix. 

Actually, the html errors are not what I am referring to. A few of the noted "Application" processes are missing the leading character on the .exe prefix; e.g.

  • C:\Windows\System32\tvdm.exe - should be C:\Windows\System32\ntvdm.exe
  • C:\Windows\System32\egsvr32.exe  - should be C:\Windows\System32\regsvr32.exe
  • C:\Windows\SysWOW64\egsvr32.exe  - should be C:\Windows\SysWOW64\regsvr32.exe
  • C:\Windows\System32\undll32.exe - should be C:\Windows\System32\rundll32.exe
  • C:\Windows\SysWOW64\undll32.exe - should be C:\Windows\SysWOW64\rundll32.exe

Check the entire article for references to the above.

Link to comment
Share on other sites
  • ESET Moderators
foneil

foneil 342

Posted
  • ESET Moderators
Posted
On 2/4/2020 at 3:45 PM, itman said:

Actually, the html errors are not what I am referring to. A few of the noted "Application" processes are missing the leading character on the .exe prefix; e.g.

  • C:\Windows\System32\tvdm.exe - should be C:\Windows\System32\ntvdm.exe
  • C:\Windows\System32\egsvr32.exe  - should be C:\Windows\System32\regsvr32.exe
  • C:\Windows\SysWOW64\egsvr32.exe  - should be C:\Windows\SysWOW64\regsvr32.exe
  • C:\Windows\System32\undll32.exe - should be C:\Windows\System32\rundll32.exe
  • C:\Windows\SysWOW64\undll32.exe - should be C:\Windows\SysWOW64\rundll32.exe

Check the entire article for references to the above.

Thanks again, that KB has been fixed. 

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...