Issue

                            

  • Configure additional ESET Remote Administrator (6.3 and later) HIPS rules in the following ESET products to protect against Filecoder (ransomware) malware
    • ESET Endpoint Security
    • ESET Endpoint Antivirus
    • ESET Mail Security for Microsoft Exchange
    • ESET File Security for Microsoft Windows Server

      Details        

      ESET's Host-based Intrusion Prevention System (HIPS) is included in ESET Endpoint Security, ESET Endpoint Antivirus, ESET Mail Security for Microsoft Exchange, and ESET File Security for Microsoft Windows Server. HIPS monitors system activity and uses a pre-defined set of rules to recognize suspicious system behavior. When this type of activity is identified, the HIPS self-defense mechanism stops the offending program or process from carrying out potentially harmful activity. Changes to the Enable HIPS and Enable Self-defense settings take effect after the Windows operating system is restarted.

      By prohibiting the standard execution of JavaScript and other scripts, ransomware is not able to download or execute.

Solution

                            

To further help prevent ransomware malware on your Windows systems, create the following policy rules in ESET Remote Administrator version 6.3 or later:

Do not adjust policies on production systems

The following policy settings are additional configurations and the specific settings needed for your security environment may vary. We recommend that you test the settings for each implementation in a test environment before using them in a production environment.


  1. Open ESET Remote Administrator Web Console (ERA Web Console) in your web browser and log in.

  2. Click Admin Policies, select the Agent policy being applied to your server(s) (your default parent policy) and then click Policies Edit.

    Alternatively, you can create a new policy in ESET Remote Administrator (6.x).
     
  3. Expand Settings Antivirus, click HIPS and then click Edit next to Rules


 

I. Deny processes from script executables


  1. Click Add, and type “Deny child processes from script executables” into the Rule name field.
     
  2. From the Action drop-down menu, select Block.

    Enable the following options:

    • Applications
    • Enabled
    • Logging severity (Warning)
    • Notify user

Figure 1-2

  1. Click Next and in the Source applications window, click Add and type in the following names, clicking OK and then Add after each one:
    • C:\Windows\System32\wscript.exe
    • C:\Windows\System32\cscript.exe
    • C:\Windows\SysWOW64\wscript.exe
    • C:\Windows\SysWOW64\cscript.exe
    • C:\Windows\System32\ntvdm.exe

Figure 1-3

  1. Click Next, click the slider bar next to Start new application to enable it and then click Next

.

Figure 1-4

  1. Select All applications from the drop-down menu and click Finish

Figure 1-5

Leave the HIPS rules window open and continue to the next section. 


II. Deny script processes started by explorer


  1. In the HIPS rules window, click Add

 

Figure 2-1

  1. Type “Deny script processes started by explorer” into the Rule name field.
     
  2. From the Action drop-down menu, select Block.

    Enable the following options:
    • Applications
    • Enabled
    • Logging severity (Warning)
    • Notify user

Click Next

Figure 2-2

  1. In the Source applications window, click Add, type “C:\Windows\explorer.exe” into the Specify file path field and then click OK. Click Next

Figure 2-3

  1. In the Application operations window, click the slider bar next to Start new application to enable it. Click Next

Figure 2-4

  1. Click Add and in the Applications window, click Add and type in the following process names, clicking OK and then Add after each one:
    • C:\Windows\System32\wscript.exe
    • C:\Windows\System32\cscript.exe
    • C:\Windows\SysWOW64\wscript.exe
    • C:\Windows\SysWOW64\cscript.exe

Click Finish

Figure 2-5

Leave the HIPS rules window open and continue to the next section. 


III. Deny child processes from Office 2013/2016 processes

  1. In the HIPS rules window, click Add

Figure 3-1

  1. Type “Deny child processes from Office 2013 processes” into the Rule name field.
     
  2. From the Action drop-down menu, select Block.

    Enable the following options:

    • Applications
    • Enabled
    • Logging severity (warning)
    • Notify user

Click Next

Figure 3-2

  1. In the Source applications window, click Add and type in the following file names, clicking OK and then Add after each one:
    • C:\Program Files\Microsoft Office\Office15\WINWORD.EXE
    • C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE
    • C:\Program Files\Microsoft Office\Office15\EXCEL.EXE
    • C:\Program Files\Microsoft Office\Office15\POWERPNT.EXE
    • C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE
    • C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE
    • C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE
    • C:\Program Files (x86)\Microsoft Office\Office15\POWERPNT.EXE

Click Next

Figure 3-3

  1. In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.

Figure 3-4

  1. In the Applications window, click Add and type in the following file names, clicking OK and then Add after each one:
    • C:\Windows\System32\cmd.exe
    • C:\Windows\SysWOW64\cmd.exe
    • C:\Windows\System32\wscript.exe
    • C:\Windows\SysWOW64\wscript.exe
    • C:\Windows\System32\cscript.exe
    • C:\Windows\SysWOW64\cscript.exe
    • C:\Windows\System32\ntvdm.exe
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    • C:\Windows\System32\regsvr32.exe
    • C:\Windows\SysWOW64\regsvr32.exe
    • C:\Windows\System32\rundll32.exe
    • C:\Windows\SysWOW64\rundll32.exe

Add additional Office versions as needed, repeating the same instructions as above.

  • 2016 = Office16
  • 2010 = Office14

Click Finish.

Figure 3-5

Leave the HIPS rules window open and continue to the next section. 

IV. Deny child processes for regsrv32.exe

  1. In the HIPS rules window, click Add

Figure 4-1

  1. Type “Deny child processes for regsrv32.exe” into the Rule name field.
     
  2. From the Action drop-down menu, select Block.

    Enable the following options:

    • Applications
    • Enabled
    • Logging severity (warning)
    • Notify user

Click Next

Figure 4-2

  1. In the Source applications window, click Add and type in the following file names, clicking OK and then Add after each one:
    • C:\Windows\System32\regsvr32.exe
    • C:\Windows\SysWOW64\regsvr32.exe

Click Next

Figure 4-3

  1. In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.

Figure 4-4

  1. In the Applications window, click Add and type in the following file names, clicking OK and then Add after each one:
    • C:\Windows\System32\cmd.exe
    • C:\Windows\SysWOW64\cmd.exe
    • C:\Windows\System32\wscript.exe
    • C:\Windows\SysWOW64\wscript.exe
    • C:\Windows\System32\cscript.exe
    • C:\Windows\SysWOW64\cscript.exe
    • C:\Windows\System32\ntvdm.exe
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Click Finish.

Figure 4-5

Leave the HIPS rules window open and continue to the next section. 


V. Deny child processes for mshta.exe

  1. In the HIPS rules window, click Add

Figure 5-1

  1. Type “Deny child processes for mshta.exe” into the Rule name field.
     
  2. From the Action drop-down menu, select Block.

    Enable the following options:
    • Applications
    • Enabled
    • Logging severity (warning)
    • Notify user

Click Next

Figure 5-2

  1. In the Source applications window, click Add and type in the following file names, clicking OK and then Add after each one:
    • C:\Windows\System32\mshta.exe
    • C:\Windows\SysWOW64\mshta.exe

Click Next.

Figure 5-3

  1. In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.

Figure 5-4

  1. Select All applications from the drop-down menu and click Finish

Figure 5-5

Leave the HIPS rules window open and continue to the next section.

VI. Deny child processes for rundll32.exe

  1. In the HIPS rules window, click Add

Figure 6-1

  1. Type “Deny child processes for rundll32.exe” into the Rule name field.
     
  2. From the Action drop-down menu, select Block.

    Enable the following options:
    • Applications
    • Enabled
    • Logging severity (warning)
    • Notify user

Click Next.

Figure 6-2

  1. In the Source applications window, click Add and type in the following file name:
    • C:\Windows\System32\rundll32.exe

Click OK and then click Next.

Figure 6-3

  1. In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.

Figure 6-4

  1. In the Applications window, click Add and type in the following file names, clicking OK and then Add after each one:
    • C:\Windows\System32\cmd.exe
    • C:\Windows\SysWOW64\cmd.exe
    • C:\Windows\System32\wscript.exe
    • C:\Windows\SysWOW64\wscript.exe
    • C:\Windows\System32\cscript.exe
    • C:\Windows\SysWOW64\cscript.exe
    • C:\Windows\System32\ntvdm.exe
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Click Finish.

Figure 6-5

Leave the HIPS rules window open and continue to the next section. 

 

VII. Deny child processes for powershell.exe
  1. In the HIPS rules window, click Add

Figure 7-1

  1. Type “Deny child processes for powershell.exe” into the Rule name field.
     
  2. From the Action drop-down menu, select Block.

    Enable the following options:
    • Applications
    • Enabled
    • Logging severity (warning)
    • Notify user

Click Next.

Figure 7-2

  1. In the Source applications window, click Add and type in the following file names, clicking OK and then Add after each one:
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Click Next

Figure 7-3

  1. In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.

Figure 7-4

  1. Select All applications from the drop-down menu and click Finish

Figure 7-5

  1. When finished adding HIPS rules, click Finish to save the policy settings. 

Figure 7-6