Endpoint Protection

 View Only

  • 1.  Use SEP application control to block these:

    Posted Mar 08, 2010 03:14 PM
    (see my article on using SEP app control to block bad BHOs and fake AV apps)
    Here are some paths that a SINGLE threat attempted to exploit - this is a common one:
    This is part of my policy here - I NOW block this since it was successful in getting in to this area - I'd left a hole...........

    %userprofile%\templates\*.exe


    Check these log entries below to see all the ways this one threat was trying to get in!

    ------------------------------------
    Attempt #1:
    Caller Process Name:
    C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
    Target:
    C:/Documents and Settings/Jami.Schwickerath/Local Settings/Application Data/av.exe
    User name:
     
    ----------------------------------------------------------
    Attempt #2
    Caller Process Name:
    C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
    Target:
    C:/Documents and Settings/Jami.Schwickerath/Templates/av.exe
    User name:
     
    ----------------------------------------------------
    Attempt #3
     
    Caller Process Name:
    C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
    Target:
    C:/Documents and Settings/Jami.Schwickerath/Local Settings/Application Data/mtg/mtg.exe
    User name:
     
     
    ------------------------------------------------------
    Attempt #4
     
    Caller Process Name:
    C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
    Target:
    C:/Documents and Settings/Jami.Schwickerath/Local Settings/Application Data/mtg/MSASCui.exe
    User name:
     
     
    -----------------------------------------------------
    Attempt #5
     
    Caller Process Name:
    C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
    Target:
    C:/Documents and Settings/Jami.Schwickerath/Local Settings/Application Data/mtg/av.exe
    User name:
     
     
    --------------------------------------------------
    Attempt #6
     
    Caller Process Name:
    C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
    Target:
    C:/Documents and Settings/Jami.Schwickerath/Local Settings/Application Data/Microsoft/Windows Defender/mtg.exe
    User name:
     
     
    -----------------------------------------------------
    Attempt #7
     
    Caller Process Name:
    C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
    Target:
    C:/Documents and Settings/Jami.Schwickerath/Local Settings/Application Data/Microsoft/Windows Defender/MSASCui.exe
    User name:
     
     
    --------------------------------------------------------
    Attempt #8
     
    Caller Process Name:
    C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
    Target:
    C:/Documents and Settings/Jami.Schwickerath/Local Settings/Application Data/Microsoft/Windows Defender/av.exe
    User name:
     
     
    -------------------------------------------------------
    Attempt #9
     
    Caller Process Name:
    C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
    Target:
    C:/Documents and Settings/Jami.Schwickerath/Local Settings/Application Data/mtg.exe
    User name:
     
     
    ---------------------------------------------------------------
    Attempt #10
     
    Caller Process Name:
    C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
    Target:
    C:/Documents and Settings/Jami.Schwickerath/Local Settings/Application Data/MSASCui.exe
    User name:
     
     
    --------------------------------------------------------------------




  • 2.  RE: Use SEP application control to block these:

    Posted Mar 19, 2010 03:03 PM
    Nice analysis of the logs.

    Aniket


  • 3.  RE: Use SEP application control to block these:

    Posted Mar 19, 2010 06:14 PM
    Thanks for sharing, certainly will be a big help.


  • 4.  RE: Use SEP application control to block these:

    Posted Mar 22, 2010 09:46 AM

    In our most secure areas, we let nothing run from any part of the user's profile!  This would be why.


  • 5.  RE: Use SEP application control to block these:

    Posted Mar 22, 2010 10:06 AM
    My article on using SEP's application control basically blocks nearly everything from running under user profile areas. I have a group that does allow things, if an install is needed, we move PC to that group, run the install, then move it back.
    If it's a mass need, I create a specific exclusion.
    It irritates some, but we've cut down big on the rogue av and such.............