Jump to content

Block ransomware behavior automatically


Go to solution Solved by dmaasland,

Recommended Posts

Hello guys,

Can you help us? We're trying to create an EEI rule to block any executable that triggers the following rules:

Filecoder behavior [M0601]

Filecoder behavior [Z0601]

And others.

Thank you.

Link to post
Share on other sites
  • Most Valued Members
8 hours ago, Lockbits said:

Hello guys,

Can you help us? We're trying to create an EEI rule to block any executable that triggers the following rules:

Filecoder behavior [M0601]

Filecoder behavior [Z0601]

And others.

Thank you.

Here it's described how to configure HIPS to block Filecoder attempts :

https://support.eset.com/en/kb6119-configure-hips-rules-for-eset-business-products-to-protect-against-ransomware

Link to post
Share on other sites
  • Solution

You can add an action to a rule. If you want to edit a built-in rule, duplicate it first. Then, add the desired action to it:

 

Quote

actions

allow to block an executable immediately after rule triggering. Action names are:
· TriggerDetection—if no actions specified in the actions tag field, this action is executed by default, and the detection is
triggered in EEI. If other actions are specified, and the user still wants to trigger detection, this action has to be added
· MarkAsScript—marks an executable as script
· MarkAsCompromised—the process triggering the rule, will be marked as compromised. This status is visible in the
process details view in web console.
· HideCommandLine—removes command line string from a process
· BlockProcessExecutable—blocks a process hash (ban hash via the rule, only if not trusted or LiveGrid® info is missing)
· CleanAndBlockProcessExecutable—cleans and blocks a process hash (only if not trusted or LiveGrid® info is missing)
· BlockParentProcessExecutable—blocks a parent process hash (only if not trusted or LiveGrid® info is missing)
· CleanAndBlockParentProcessExecutable—cleans and blocks a parent process hash (only if not trusted or LiveGrid® info is
missing)
· IsolateFromNetwork—isolates the computer from network
· DropEvent—drops an event which triggered the rule
Actions can be put into single action element:
<action name=”BlockProcessExecutable”/>
or be stacked in actions element (this approach shows a hint, what can be put in a place of the name):
<actions>
<action name="BlockProcessExecutable"/>

</actions>
Multiple actions can be invoked from a single rule

 

The action you're looking for would be "BlockProcessExecutable" or "CleanAndBlockProcessExecutable". Check out page 6 in the EEI rule guide: https://help.eset.com/tools/eei/eei_rules_guide_1.6.pdf

 

Don't forget to also specify the "TriggerDetection". This is the default action if no action is specified, but gets overwritten as soon as you specify your custom action. This causes the rule to not create a detection but only block the executable if you don't add that action as well.

Edited by dmaasland
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...