Jump to content

Block ransomware behavior automatically

Lockbits
 Share
Go to solution Solved by dmaasland,

Recommended Posts

Lockbits

Lockbits 10

Posted
Posted

Hello guys,

Can you help us? We're trying to create an EEI rule to block any executable that triggers the following rules:

Filecoder behavior [M0601]

Filecoder behavior [Z0601]

And others.

Thank you.

Link to comment
Share on other sites
  • Most Valued Members
Nightowl

Nightowl 202

Posted
  • Most Valued Members
Posted
8 hours ago, Lockbits said:

Hello guys,

Can you help us? We're trying to create an EEI rule to block any executable that triggers the following rules:

Filecoder behavior [M0601]

Filecoder behavior [Z0601]

And others.

Thank you.

Here it's described how to configure HIPS to block Filecoder attempts :

https://support.eset.com/en/kb6119-configure-hips-rules-for-eset-business-products-to-protect-against-ransomware

Link to comment
Share on other sites
  • Solution
dmaasland

dmaasland 2

Posted
  • Solution
Posted (edited)

You can add an action to a rule. If you want to edit a built-in rule, duplicate it first. Then, add the desired action to it:

 

Quote

actions

allow to block an executable immediately after rule triggering. Action names are:
· TriggerDetection—if no actions specified in the actions tag field, this action is executed by default, and the detection is
triggered in EEI. If other actions are specified, and the user still wants to trigger detection, this action has to be added
· MarkAsScript—marks an executable as script
· MarkAsCompromised—the process triggering the rule, will be marked as compromised. This status is visible in the
process details view in web console.
· HideCommandLine—removes command line string from a process
· BlockProcessExecutable—blocks a process hash (ban hash via the rule, only if not trusted or LiveGrid® info is missing)
· CleanAndBlockProcessExecutable—cleans and blocks a process hash (only if not trusted or LiveGrid® info is missing)
· BlockParentProcessExecutable—blocks a parent process hash (only if not trusted or LiveGrid® info is missing)
· CleanAndBlockParentProcessExecutable—cleans and blocks a parent process hash (only if not trusted or LiveGrid® info is
missing)
· IsolateFromNetwork—isolates the computer from network
· DropEvent—drops an event which triggered the rule
Actions can be put into single action element:
<action name=”BlockProcessExecutable”/>
or be stacked in actions element (this approach shows a hint, what can be put in a place of the name):
<actions>
<action name="BlockProcessExecutable"/>

</actions>
Multiple actions can be invoked from a single rule

 

The action you're looking for would be "BlockProcessExecutable" or "CleanAndBlockProcessExecutable". Check out page 6 in the EEI rule guide: https://help.eset.com/tools/eei/eei_rules_guide_1.6.pdf

 

Don't forget to also specify the "TriggerDetection". This is the default action if no action is specified, but gets overwritten as soon as you specify your custom action. This causes the rule to not create a detection but only block the executable if you don't add that action as well.

Edited by dmaasland
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...