Issue                    

  • Configure additional ESET Remote Administrator (6.3 and later) Firewall rules to protect against Filecoder (ransomware) malware

Solution

With ESET default settings, ff malicious code with a dropper is executed, ESET Endpoint Security will prevent the download of the malware with the integrated Firewall.

To further help prevent ransomware malware on your Windows systems with ESET Endpoint Security, create the following additional policy rules in ESET Remote Administrator version 6.3 or later:

Do not adjust policies on production systems

  1. Open ESET Remote Administrator Web Console (ERA Web Console) in your web browser and log in. How do I open ERA Web Console?

  2. Click Admin Policies, select the Agent policy being applied to your server(s) (your default parent policy) and then click Policies Edit.

    Alternatively, you can create a new policy in ESET Remote Administrator (6.x).
     
  3. Expand Settings Personal Firewall and verify that Enable Botnet protection is enabled. 

Figure 1-1

  1. Click Edit next to Rules

Figure 1-2

 

  1. In the Firewall rules window, click Add.
     
  2. Under the General tab, type the following rule name into the Name field:

    Deny network connections for cmd.exe (native)
     
  3. Use the following configuration for the rule:
    1. From the Direction drop-down menu, select Both
    2. From the Action drop-down menu, select Deny.
    3. From the Protocol drop-down menu, select Any.
    4. From the Profile drop-down menu, select Any profile.

Figure 1-3

  1. Click the Local tab and in the Application field, type in the following file path:

    C:\Windows\System32\cmd.exe

Figure 1-4

  1. Click OK, click Add, and then repeat steps 5 – 7 to create the following list of rules:
  1. Name: Deny network connections for cmd.exe (SysWOW64)
    Application: C:\Windows\SysWOW64\cmd.exe
  2. Name: Deny network connections for wscript.exe (native)
    Application: C:\Windows\System32\wscript.exe
  3. Name: Deny network connections for wscript.exe (SysWOW64)
    Application: C:\Windows\SysWOW64\wscript.exe
  4. Name Deny network connections for cscript.exe (native)
    Application: C:\Windows\System32\cscript.exe
  5. Name: Deny network connections for cscript.exe (SysWOW64)
    Application: C:\Windows\Syswow64\cscript.exe
  6. Name: Deny network connections for powershell.exe (native)
    Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  7. Name: Deny network connections for powershell.exe (SysWOW64)
    Application: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  8. Name: Deny network connections for ntvdm.exe
    Application: C:\Windows\System32\ntvdm.exe
  9. Name: Deny network connections for regsvr.exe (native)
    Application: C:\Windows\System32\regsvr.exe
  10. Name: Deny network connections for regsvr.exe (SysWOW64)
    Application: C:\Windows\SysWOW64\regsvr.exe
  11. Name: Deny network connections for rundll32.exe (native)
    Application: C:\Windows\System32\rundll32.exe
  12. Name: Deny network connections for rundll32.exe (SysWOW64)
    Application: C:\Windows\SysWOW64\rundll32.exe
  1. Click OK Finish when you have finished adding all rules. 

Figure 1-5

The following policy settings are additional configurations and the specific settings needed for your security environment may vary. We recommend that you test the settings for each implementation in a test environment before using them in a production environment.