Lockbits 11 Posted June 9, 2021 Posted June 9, 2021 Hello guys, Can you help us? We're trying to create an EEI rule to block any executable that triggers the following rules: Filecoder behavior [M0601] Filecoder behavior [Z0601] And others. Thank you.
Most Valued Members Nightowl 206 Posted June 10, 2021 Most Valued Members Posted June 10, 2021 8 hours ago, Lockbits said: Hello guys, Can you help us? We're trying to create an EEI rule to block any executable that triggers the following rules: Filecoder behavior [M0601] Filecoder behavior [Z0601] And others. Thank you. Here it's described how to configure HIPS to block Filecoder attempts : https://support.eset.com/en/kb6119-configure-hips-rules-for-eset-business-products-to-protect-against-ransomware
Solution dmaasland 2 Posted June 15, 2021 Solution Posted June 15, 2021 (edited) You can add an action to a rule. If you want to edit a built-in rule, duplicate it first. Then, add the desired action to it: Quote actions allow to block an executable immediately after rule triggering. Action names are: · TriggerDetection—if no actions specified in the actions tag field, this action is executed by default, and the detection is triggered in EEI. If other actions are specified, and the user still wants to trigger detection, this action has to be added · MarkAsScript—marks an executable as script · MarkAsCompromised—the process triggering the rule, will be marked as compromised. This status is visible in the process details view in web console. · HideCommandLine—removes command line string from a process · BlockProcessExecutable—blocks a process hash (ban hash via the rule, only if not trusted or LiveGrid® info is missing) · CleanAndBlockProcessExecutable—cleans and blocks a process hash (only if not trusted or LiveGrid® info is missing) · BlockParentProcessExecutable—blocks a parent process hash (only if not trusted or LiveGrid® info is missing) · CleanAndBlockParentProcessExecutable—cleans and blocks a parent process hash (only if not trusted or LiveGrid® info is missing) · IsolateFromNetwork—isolates the computer from network · DropEvent—drops an event which triggered the rule Actions can be put into single action element: <action name=”BlockProcessExecutable”/> or be stacked in actions element (this approach shows a hint, what can be put in a place of the name): <actions> <action name="BlockProcessExecutable"/> … </actions> Multiple actions can be invoked from a single rule The action you're looking for would be "BlockProcessExecutable" or "CleanAndBlockProcessExecutable". Check out page 6 in the EEI rule guide: https://help.eset.com/tools/eei/eei_rules_guide_1.6.pdf Don't forget to also specify the "TriggerDetection". This is the default action if no action is specified, but gets overwritten as soon as you specify your custom action. This causes the rule to not create a detection but only block the executable if you don't add that action as well. Edited June 15, 2021 by dmaasland MichalJ 1
Lockbits 11 Posted June 16, 2021 Author Posted June 16, 2021 Thank you very much for the information, @dmaasland
Recommended Posts