Jump to content

Archived

This topic is now archived and is closed to further replies.

pronto

[Threat] VBA/TrojanDownloader.Agent.MUV

Recommended Posts

Finally if one insists on enabling macros in Office apps, I would strongly recommend that the following HIPS rule be created on all endpoint devices. This rule will block all script executables from being spawned from an Office app.

Refer the the rule details given in this Eset KB article section. Note I duplicated the entire article section because there are "typo's" in the article:

Quote

III. Deny child processes from Office 2013/2016 processes

  1. In the HIPS rules window, click Add

KB6119Figure3-1.png

Figure 3-1

  1. Type “Deny child processes from Office 2013 processes” into the Rule name field.
     
  2. From the Action drop-down menu, select Block.

    Enable the following options:

    • Applications
    • Enabled
    • Logging severity (warning)
    • Notify user

Click Next

KB6119Figure3-2b.png

Figure 3-2

  1. In the Source applications window, click Add and type in the following file names, clicking OK and then Add after each one:
    • C:\Program Files\Microsoft Office\Office15\WINWORD.EXE
    • C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE
    • C:\Program Files\Microsoft Office\Office15\EXCEL.EXE
    • C:\Program Files\Microsoft Office\Office15\POWERPNT.EXE
    • C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE
    • C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE
    • C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE
    • C:\Program Files (x86)\Microsoft Office\Office15\POWERPNT.EXE

Click Next

KB6119Figure3-3B.png

Figure 3-3

  1. In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.

KB6119Figure3-4.png

Figure 3-4

  1. In the Applications window, click Add and type in the following file names, clicking OK and then Add after each one:
    • C:\Windows\System32\cmd.exe
    • C:\Windows\SysWOW64\cmd.exe
    • C:\Windows\System32\wscript.exe
    • C:\Windows\SysWOW64\wscript.exe
    • C:\Windows\System32\cscript.exe
    • C:\Windows\SysWOW64\cscript.exe
    • C:\Windows\System32\ntvdm.exe
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    • C:\Windows\System32\regsvr32.exe
    • C:\Windows\SysWOW64\regsvr32.exe
    • C:\Windows\System32\rundll32.exe
    • C:\Windows\SysWOW64\rundll32.exe

Add additional Office versions as needed, repeating the same instructions as above.

  • 2016 = Office16 (C:\Program Files (x86)\Microsoft Office\Root\Office16\...)
  • 2010 = Office14

Click Finish.

KB6119Figure3-5.png

Figure 3-5

 

https://support.eset.com/en/kb6119-configure-hips-rules-for-eset-business-products-to-protect-against-ransomware#

 

 

Share this post


Link to post
Share on other sites
8 hours ago, itman said:

Finally if one insists on enabling macros in Office apps, I would strongly recommend that the following HIPS rule be created on all endpoint devices. This rule will block all script executables from being spawned from an Office app.

Refer the the rule details given in this Eset KB article section. Note I duplicated the entire article section because there are "typo's" in the article:

https://support.eset.com/en/kb6119-configure-hips-rules-for-eset-business-products-to-protect-against-ransomware#

 

 

Thanks itman, there are some html errors in kb6119 that we'll fix. 

Share this post


Link to post
Share on other sites
54 minutes ago, foneil said:

Thanks itman, there are some html errors in kb6119 that we'll fix. 

Actually, the html errors are not what I am referring to. A few of the noted "Application" processes are missing the leading character on the .exe prefix; e.g.

  • C:\Windows\System32\tvdm.exe - should be C:\Windows\System32\ntvdm.exe
  • C:\Windows\System32\egsvr32.exe  - should be C:\Windows\System32\regsvr32.exe
  • C:\Windows\SysWOW64\egsvr32.exe  - should be C:\Windows\SysWOW64\regsvr32.exe
  • C:\Windows\System32\undll32.exe - should be C:\Windows\System32\rundll32.exe
  • C:\Windows\SysWOW64\undll32.exe - should be C:\Windows\SysWOW64\rundll32.exe

Check the entire article for references to the above.

Share this post


Link to post
Share on other sites
On 2/4/2020 at 3:45 PM, itman said:

Actually, the html errors are not what I am referring to. A few of the noted "Application" processes are missing the leading character on the .exe prefix; e.g.

  • C:\Windows\System32\tvdm.exe - should be C:\Windows\System32\ntvdm.exe
  • C:\Windows\System32\egsvr32.exe  - should be C:\Windows\System32\regsvr32.exe
  • C:\Windows\SysWOW64\egsvr32.exe  - should be C:\Windows\SysWOW64\regsvr32.exe
  • C:\Windows\System32\undll32.exe - should be C:\Windows\System32\rundll32.exe
  • C:\Windows\SysWOW64\undll32.exe - should be C:\Windows\SysWOW64\rundll32.exe

Check the entire article for references to the above.

Thanks again, that KB has been fixed. 

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...