Roland

CLOSED New whitelist features in company environment

Recommended Posts

Did just make some test with the whitelist features. Very nice to see wildcards! At this step it is a little bit annoying to add new entries as you at least has to enter one folder and then you are able to alter the path clicking the new entry. But for me this is more a cosmetic issue.

 

Now to the main topic. As i did not find a pop-up or other info i assume the exclude options disables/excludes from all on-demand (scheduled), on-access (realtime) and behavior blocker in contrast to exclude from monitoring only means on-access and behavior blocker leaving on-demand active.

 

Also noticed that excluding for example putty.exe does not remove the Behavior Blocker Hooks DLL as it was in EAM11. Is it possible to exclude injecting these DLLs in some rare case that an applications crashes while using behavior blocker?

 

Is it also possible or planned to use an behavior blocker only whitelist as i find it important to have at least realtime protection and do not want to exlude all checks? For example we have a large admin maintained install share where a lot of software installers are placed, some of them will trigger an behavior blocker alert. We have whitelisted this folder in EAM (using ECC) but only from behavior blocker which is possible in EAM11. So our automated installations run fine but we have at least some kind of protection if we unintentional upload a malware to this share.

  • Upvote 1

Share this post


Link to post
Share on other sites

Hi Roland,

 

The first grid in the new exclusions screen is related to exclusions for signature based detection, i.e. on demand scanner, File Guard.

The second grid is related to exclusion from (behavior) Monitoring,  i.e. Behavior Blocker.

 

thanks

Share this post


Link to post
Share on other sites

Okay tested this with eicar testfile and real cryptowall and petya samples.

 

Made a new folder d:\testfiles, added an exception to monitoring d:\test*.

Did an on-demand scan from explorer context menu for this folder. EAM found all three samples.

Clicked at the eicar sample that gave me the known com error. Got a little bit nervous made an image of the pc and detached networking.

Clicked at the cryptowall sample it started did some changes without alerting and tried to start the decrypted malware in temp folder which EAM blocked as this was not a whitelisted folder.

Clicked at the petya sample (this is straight so no decryption or the fancy stuff) and as expected it launched without any warning restarted the PC and began encryption. (No Problem as this was for testing only) ;)

 

So for me it looks like exclude monitoring will exclude all other than on-demand or it is a bug.

 

I would greatly appreciate the behavior/logic you explained excluding only behavior/monitoring based detection separated from signature based.

Share this post


Link to post
Share on other sites

Sorry i forgot but i think might be helpful. Tested on Windows 7 SP1 32bit version including all critical and important Microsoft OS patches.

Share this post


Link to post
Share on other sites

Hi Roland

 

I would greatly appreciate the behavior/logic you explained excluding only behavior/monitoring based detection separated from signature based.

 

 

Not sure what you mean, sorry.

I tried to explain that when you add a folder to the 'Exclude from monitoring' grid, that folder is excluded for behavioral detections only.

When you add a folder (or the same one) to the 'Exclude' grid, the files in that folder won't be detected by the File Guard or on demand scanner

(btw i notice that the grid header text is missing a part. it should be:  'Exclude from scanning' -> this has been fixed already

 

 

Does this make sense ?

Share this post


Link to post
Share on other sites

Okay perhaps i have to be more specific. I had not made any excludes in the first grid (the one that Exclude fom scanning). First grid is empty. Had only made the one for the said folder in the second grid (Exclude from Monitor). So i think when there is a malware in this folder only behavior blocker should be disabled and file guard should catch the known malware sample (using no excludes EAM will hit this sample). But it did not (at least for me) it launched the samples without any warning also no message in the logs appeared.

 

Perhaps someone other could test if she/he has the same behavior. Myself i will try to re-check tomorrow tu ensure that i did not make any mistakes and probably will make a screen recording.

Share this post


Link to post
Share on other sites

Found and reproduced it.

You should use foldernames with a trailing '\'

In your case d:\test*\

 

If you add that path in the 'Exclude from Monitoring' grid, the File Guard will detect the files.

  • Upvote 1

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.