Issue
- Configure additional ESET Remote Administrator (6.3 and later) HIPS rules in the following ESET products to protect against Filecoder (ransomware) malware
- ESET Endpoint Security
- ESET Endpoint Antivirus
- ESET Mail Security for Microsoft Exchange
- ESET File Security for Microsoft Windows Server
Details
ESET's Host-based Intrusion Prevention System (HIPS) is included in ESET Endpoint Security, ESET Endpoint Antivirus, ESET Mail Security for Microsoft Exchange, and ESET File Security for Microsoft Windows Server. HIPS monitors system activity and uses a pre-defined set of rules to recognize suspicious system behavior. When this type of activity is identified, the HIPS self-defense mechanism stops the offending program or process from carrying out potentially harmful activity. Changes to the Enable HIPS and Enable Self-defense settings take effect after the Windows operating system is restarted.
By prohibiting the standard execution of JavaScript and other scripts, ransomware is not able to download or execute.
Solution
To further help prevent ransomware malware on your Windows systems, create the following policy rules in ESET Remote Administrator version 6.3 or later:
Do not adjust policies on production systems
The following policy settings are additional configurations and the specific settings needed for your security environment may vary. We recommend that you test the settings for each implementation in a test environment before using them in a production environment.
Open ESET Remote Administrator Web Console (ERA Web Console) in your web browser and log in.
- Click Admin → Policies, select the Agent policy being applied to your server(s) (your default parent policy) and then click Policies → Edit.
Alternatively, you can create a new policy in ESET Remote Administrator (6.x).
- Expand Settings → Antivirus, click HIPS and then click Edit next to Rules.
I. Deny processes from script executables
- Click Add, and type “Deny child processes from script executables” into the Rule name field.
- From the Action drop-down menu, select Block.
Enable the following options:
- Applications
- Enabled
- Logging severity (Warning)
- Notify user
Figure 1-2
- Click Next and in the Source applications window, click Add and type in the following names, clicking OK and then Add after each one:
- C:\Windows\System32\wscript.exe
- C:\Windows\System32\cscript.exe
- C:\Windows\SysWOW64\wscript.exe
- C:\Windows\SysWOW64\cscript.exe
- C:\Windows\System32\ntvdm.exe
Figure 1-3
- Click Next, click the slider bar next to Start new application to enable it and then click Next.
.
Figure 1-4
- Select All applications from the drop-down menu and click Finish.
Figure 1-5
Leave the HIPS rules window open and continue to the next section.
II. Deny script processes started by explorer
- In the HIPS rules window, click Add.
Figure 2-1
- Type “Deny script processes started by explorer” into the Rule name field.
- From the Action drop-down menu, select Block.
Enable the following options:- Applications
- Enabled
- Logging severity (Warning)
- Notify user
Click Next.
Figure 2-2
In the Source applications window, click Add, type “C:\Windows\explorer.exe” into the Specify file path field and then click OK. Click Next.
Figure 2-3
In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.
Figure 2-4
- Click Add and in the Applications window, click Add and type in the following process names, clicking OK and then Add after each one:
- C:\Windows\System32\wscript.exe
- C:\Windows\System32\cscript.exe
- C:\Windows\SysWOW64\wscript.exe
- C:\Windows\SysWOW64\cscript.exe
Click Finish.
Figure 2-5
Leave the HIPS rules window open and continue to the next section.
III. Deny child processes from Office 2013/2016 processes
- In the HIPS rules window, click Add.
Figure 3-1
- Type “Deny child processes from Office 2013 processes” into the Rule name field.
- From the Action drop-down menu, select Block.
Enable the following options:
- Applications
- Enabled
- Logging severity (warning)
- Notify user
Click Next.
Figure 3-2
- In the Source applications window, click Add and type in the following file names, clicking OK and then Add after each one:
- C:\Program Files\Microsoft Office\Office15\WINWORD.EXE
- C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE
- C:\Program Files\Microsoft Office\Office15\EXCEL.EXE
- C:\Program Files\Microsoft Office\Office15\POWERPNT.EXE
- C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE
- C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE
- C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE
- C:\Program Files (x86)\Microsoft Office\Office15\POWERPNT.EXE
Click Next.
Figure 3-3
- In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.
Figure 3-4
- In the Applications window, click Add and type in the following file names, clicking OK and then Add after each one:
- C:\Windows\System32\cmd.exe
- C:\Windows\SysWOW64\cmd.exe
- C:\Windows\System32\wscript.exe
- C:\Windows\SysWOW64\wscript.exe
- C:\Windows\System32\cscript.exe
- C:\Windows\SysWOW64\cscript.exe
- C:\Windows\System32\ntvdm.exe
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
- C:\Windows\System32\regsvr32.exe
- C:\Windows\SysWOW64\regsvr32.exe
- C:\Windows\System32\rundll32.exe
- C:\Windows\SysWOW64\rundll32.exe
Add additional Office versions as needed, repeating the same instructions as above.
- 2016 = Office16
- 2010 = Office14
Click Finish.
Figure 3-5
Leave the HIPS rules window open and continue to the next section.
IV. Deny child processes for regsrv32.exe
- In the HIPS rules window, click Add.
Figure 4-1
- Type “Deny child processes for regsrv32.exe” into the Rule name field.
- From the Action drop-down menu, select Block.
Enable the following options:
- Applications
- Enabled
- Logging severity (warning)
- Notify user
Click Next.
Figure 4-2
- In the Source applications window, click Add and type in the following file names, clicking OK and then Add after each one:
- C:\Windows\System32\regsvr32.exe
- C:\Windows\SysWOW64\regsvr32.exe
Click Next.
Figure 4-3
- In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.
Figure 4-4
- In the Applications window, click Add and type in the following file names, clicking OK and then Add after each one:
- C:\Windows\System32\cmd.exe
- C:\Windows\SysWOW64\cmd.exe
- C:\Windows\System32\wscript.exe
- C:\Windows\SysWOW64\wscript.exe
- C:\Windows\System32\cscript.exe
- C:\Windows\SysWOW64\cscript.exe
- C:\Windows\System32\ntvdm.exe
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Click Finish.
Figure 4-5
Leave the HIPS rules window open and continue to the next section.
V. Deny child processes for mshta.exe
- In the HIPS rules window, click Add.
Figure 5-1
- Type “Deny child processes for mshta.exe” into the Rule name field.
- From the Action drop-down menu, select Block.
Enable the following options:- Applications
- Enabled
- Logging severity (warning)
- Notify user
Click Next
Figure 5-2
- In the Source applications window, click Add and type in the following file names, clicking OK and then Add after each one:
- C:\Windows\System32\mshta.exe
- C:\Windows\SysWOW64\mshta.exe
Click Next.
Figure 5-3
- In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.
Figure 5-4
- Select All applications from the drop-down menu and click Finish.
Figure 5-5
Leave the HIPS rules window open and continue to the next section.
VI. Deny child processes for rundll32.exe
- In the HIPS rules window, click Add.
Figure 6-1
- Type “Deny child processes for rundll32.exe” into the Rule name field.
- From the Action drop-down menu, select Block.
Enable the following options:- Applications
- Enabled
- Logging severity (warning)
- Notify user
Click Next.
Figure 6-2
- In the Source applications window, click Add and type in the following file name:
- C:\Windows\System32\rundll32.exe
Click OK and then click Next.
Figure 6-3
- In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.
Figure 6-4
- In the Applications window, click Add and type in the following file names, clicking OK and then Add after each one:
- C:\Windows\System32\cmd.exe
- C:\Windows\SysWOW64\cmd.exe
- C:\Windows\System32\wscript.exe
- C:\Windows\SysWOW64\wscript.exe
- C:\Windows\System32\cscript.exe
- C:\Windows\SysWOW64\cscript.exe
- C:\Windows\System32\ntvdm.exe
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Click Finish.
Figure 6-5
Leave the HIPS rules window open and continue to the next section.
VII. Deny child processes for powershell.exe
- In the HIPS rules window, click Add.
Figure 7-1
- Type “Deny child processes for powershell.exe” into the Rule name field.
- From the Action drop-down menu, select Block.
Enable the following options:- Applications
- Enabled
- Logging severity (warning)
- Notify user
Click Next.
Figure 7-2
- In the Source applications window, click Add and type in the following file names, clicking OK and then Add after each one:
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Click Next.
Figure 7-3
- In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.
Figure 7-4
- Select All applications from the drop-down menu and click Finish.
Figure 7-5
- When finished adding HIPS rules, click Finish to save the policy settings.
Figure 7-6