How to use SEP to protect against rogue "browser helpers"
Yes, I am a frustrated security administrator. I've been a security admin for roughly 2 decades, but only frustrated recently......... browsing used to be safe, relatively speaking. Now, even visiting the mainstream news media sites can result in malware being installed. Even business related web sites, in our case, sites that cater to voc rehab, are either built by designers needing more money, or have been hacked.
And the rogue antivirus and security apps seem to be the vogue thing now. Because they aren't technically an application, and require no permissions to install, they are often installed as "browser helpers", their files being dropped in the user profile "application data' folder where the logged in user has full rights, regardless of their security level. When a browser helper launches, it can run scripts, perform downloads, countless other nasty things.
I was going crazy because our endpoint protection was letting these in left and right. Possibly in part because the files are ever-changing, and signature detection simply doesn't work on them. They appear friendly! They are a helper, after-all. Trusted, Microsoft wants your browsing experience to be SIMPLE, so they make it simple - for anyone and everyone that wants to help you!
I was at witts end when I started doing some real deep research. If these things get in by dropping DLL or HTM(L) files in the application date folder of the current user, why not monitor that, even block such access?
With SEP, that's pretty easy to do.
As with any new changes to SEP, be sure to run this in TEST MODE only, logging, not production! I sure am glad I did, or I would have blocked their signature files used in Outlook!
First, in your Symantec Endpoint Protection Manager console, navigate to your Application and Device control policy. Might be good to do this on a test group, even if you DO set this for "Test (log only" status.
In application control, add a rule set.
I named ours "Block bad BHOs"
Make it apply to all processes using the * in the upper dialog.
In the lower dialog, "Do not apply this rule to the following processes", I added C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE so that Word could use signature HTML files for Outlook email. Caught that in logging.
Next I added a condition - Load DLL attempts. I applied this to the following:
%userprofile%\application data\*.dll
%userprofile%\application data\*\*.dll
In the actions tab, I set to block, and checked enable logging.
That prevents any EXISTING malware helpers from loading, just in case they already exist in a large environment.
I went back under the initial rule set and added another condition:
~File and folder access attempts.~
I added the above lines to this condition, so that the DLL could not be created to begin with (the above prevents EXISTING DLLs from being loaded)
and I added the following to this one:
%userprofile%\application data\*.ht*
%userprofile%\application data\*\*.ht*
So the end result was this under File and Folder access attempts apply to these files and folders:
%userprofile%\application data\*.ht*
%userprofile%\application data\*\*.ht*
%userprofile%\application data\*.dll
%userprofile%\application data\*\*dll
I added this line to the do not apply to the following files and folders:
%userprofile%\Application Data\Microsoft\Internet Explorer\desktop.htt
because it appears to do with active desktop that one user has enabled (still looking into this one but it seemed harmless)
Under the actions tab for File and Folder Access Attempts, for the create delete or write, I checked block, and enable logging.
Again, be sure to not put this into production until you have run it a while to look at the logs for things that it may block that you do NOT want blocked.
That's how I caught Word using the HTML files for Outlook signatures and excluded them, otherwise I'd have had a few angry users on my hands.
You can enable or configure logging or email alerts, etc. as you see fit, or as your enterprise needs/requires.
This is something I have only just put into place, and it's still in testing and being watched. I'm hopeful it may block some of these malware phony antivirus apps that sneak in under the guise of helper apps, then annoy the user with pop-ups and other nasties.
Any input? I'm all ears! Ideas, suggestions, or even if you tell me "that won't do anything", I'm listening, but PLEASE be prepared to tell me WHY.
Thanks
(I've attached a sample DAT file (zipped) you will need your own extension, but simply watch the application control logs in the monitor area and you'll see what's being blocked if you need to add exclusions or exceptions)
Comments
Many will find this article helpful!
"Browser helpers" seem to be creeping up quite a bit these days - this article, from one of our trusted advisors, can help you utilize SEP to decrease/eliminate this problem.
Eric
Subscribe to the upcoming Security Newsletter - Log in, visit your profile, and click on "Newsletter Subscriptions!"
I would like to add again -
I would like to add again - WATCH the logs closely ...... I caught another needed exclusion - that's why you should run in log mode - or test mode, not production for a few days.
I believe this one would allow such things as sharing USB printers among networked computers, like we do in a few offices - add this as an exclusion:
C:\Documents and Settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
The above is a valid Microsoft Windows file used in universal plug and play.
WMP prior to 11 used this for network file sharing, etc. but printers seem to also use it if shared.
As Eric mentioned - browser helpers are a commonly used "method" of getting fake AV and other bugs in because it requires no special permissions and can be run from your own profile area - something any logged in user has permissions to just to be able to run software. I've seen 3 of them in the last 2 weeks or so. The latest SEP prevented from doing damage, but this will prevent the files from being created to begin with.
My sites - http://theamcpages.com & http://antique-engines.com
Toy:
Shadow:
good Artilce indeed
Yes quite informative
Great write up!
I am planning on talking with our security team about it this afternoon.
Thank you
Article was bit informitive.
Article was bit informitive.
Re
Very useful article.
Regards, M.R
Yes, I am a frustrated
Yes, I am a frustrated Support engineer . I've been a Support engineer for roughly 2 decades, but only frustrated recently......... browsing used to be safe, relatively speaking. Now, even visiting the mainstream news media sites can result in malware being installed. Even business related web sites, in our case, sites that cater to voc rehab, are either built by designers needing more money, And the rogue antivirus and security apps seem to be the vogue thing now. Because they aren't technically an application, and require no permissions to install, they are often installed as "browser helpers", their files being dropped in the user profile "application data' folder where the logged in user has full rights, regardless of their security level. When a browser helper launches, it can run scripts, perform downloads, countless other nasty things were going crazy because our endpoint protection was letting these in left and right. Possibly in part because the files are ever-changing, and signature detection simply doesn't work on them. They appear friendly! They are a helper, after-all. Trusted, Microsoft wants your browsing experience to be SIMPLE, so they make it simple - for anyone and everyone that wants to help you! I would like to add again - WATCH the logs closely . believe this one would allow such things as sharing USB printers among networked computers, like we do in a few offices - add this as an exclusion:
C:\Documents and Settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
The above is a valid Microsoft Windows file used in universal plug and play.
WMP prior to 11 used this for network file sharing, etc. but printers seem to also use it if shared.
wow....after a long time i
wow....after a long time i have really seen an post which really gives a pro-active approace in defending a might-be problem.
The article is really good.
The article is really good. This feature has been in the SEPM but only lacking party to go active with this is usability. Execution of this requires careful planning and May takes months to test and then apply to the production environment. But never the less I have to agree once applied it's pretty hard to break until you apply a service pack or a security updates because it's gonna change the signatures as well.
This is one of the good
This is one of the good articles I had read.
Hope to hear more soon ShadowsPapa.
Just a feedback though.
Browser helpers are being tagged as Spyware by Microsoft AntiSpyware, and malware or browser hijacker by some others, such as Panda Antivirus.
One example is the Yahoo! Assistant, formerly named 3721 Internet Assistant, is a Browser Helper that is tagged as Spyware. It is coming from a reputable site though.
Just my thoughts.
Nel Ramos
Nel Ramos
wow...this is a good article
full of information! Good write Papa!
One tip page from symantec
One tip page from symantec which shall help many...
http://service1.symantec.com/SUPPORT/ent-security....
Thats very informative and
Thats very informative and helpful.Will these settings also help to stop fake AV's getting installed ?
Yes - in fact, I've even
Yes - in fact, I've even tightened things up a bit more, preventing EXEs from being created, etc.
In fact, I was able to stop a fake AV last week when 2 users hit www.yahoo.com and did searches. They saw a viagra ad and immediately an EXE was targeting SEP's LU files, so I decided - block EXE creation. It's more of a pain, but I figure if our users have a LEGIT application that needs to load and run, I'll just create an exclusion. Otherwise, as far as I'm concerned, any EXE in the user profile does not belong and will be blocked.
Such "infections" have dropped quite a bit. The fake AV apps often install and get run as a phony BHO - browser helper object....... that's how they get in, and what launches them. You start IE and you start the phony BHO as well.
My sites - http://theamcpages.com & http://antique-engines.com
Toy:
Shadow:
This is really a good
This is really a good article..n will help keeping our systems safe from any kind of threat that come via browser..but this policy needs to be fine tuned as shadowspapa said to allow your apps, if they go there..
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
I tried downloading the ZIP,
I tried downloading the ZIP, extracted the .DAT file and tried Import Policy ... but nothing happens ... no error, no new policy created. Any thoughts? I am running v11.0.5
Decided to leave it
Decided to leave it overnight, came back to it today, ran the Import again ... and it worked ... I have no idea why?! ... but I am off and running!
I'm attaching 2 new files - I
I'm attaching 2 new files - I think one is just the rogue AV and BHO part, the other I believe is the entire application control part.
I'm not sure if that's how these export or not, but one is twice the size of the other, so I must assume the smaller is the subset I have just for the rogue AV and browserhelpers.
They are messy, but should give indications of the possibilities.
I wish I could sit down with an expert and fine-tune these and clean them up!
My sites - http://theamcpages.com & http://antique-engines.com
Toy:
Shadow:
Well after dealing with this
Well after dealing with this too many times this week, I am trying it out.
I imported the larger one and used only the BHO and ALOT tool bar part.
Next will have to figure out the logging part after running it for a few days.
Thanks for sharing this.
Thanks!
Thanks ShadowsPapa it's been a while since I've been here and look forward to implementing this. FakeAV is a pain to deal with. I'm ready for this solution. Been extremely busy implementing VOIP replacement for 300 phones and virtualizing servers and desktops for a new facility. I hope I can start contributing again soon.
Appreciate the article. I
Appreciate the article. I read this when it was first posted, and pleased to see an update.
I'm too perservering with trying to really get into the nuts and bolts of Application and Device Control, but I'm finding a lack of examples and documentation around the extensive benefits we can gain through using it.
I'm managing a SEPM with over 13,000 endpoints - although the BHO is a very helpful example/reference point, It gets very complicated quickly, with this many clients running various software and OS versions. One issue i'm running into is performance, and the need to create so many exceptions for different executables, that seem to grind to a halt with these policies. I'm also finding I'm adding excluded processes under "Do not apply this rule to the following processes" however they don't seem to apply. One example below:
wctestws01
I've tried adding it using wildcards, full path, and even to the Centralised Exceptons as a tamper exclusion, but to no avail.
Any ideas?
I'd love a workshop on working souly in this section of SEPM, as it's very powerful.
Keep up the good work
Regards,
Andrew
Interesting, that I can't
Interesting, that I can't seem to get the application policy to work. I copied over a test.dll file to %userprofile%\application data\ directory without any problem. I have the latested policy. Any ideas?
Mike
I had that same problem. I called Symantec support and they instructed me to install all features of SEP client. (I only had AV and PTP installed) Once that was installed it started blocking applications.
Been away for awhile and this
Been away for awhile and this has to be one of the best security articles for SEP I've ever come across. Awesome work Shadowspapa!
Testing this now, very well
Testing this now, very well written article.
Thank you,
Andrew
Fantastic, very informative.
Fantastic, very informative. I'm a big SAV fan now geeting ready to do my first SEPM production. I've been living in an unmanaged world so far.
Thanks
Would you like to reply?
Login or Register to post your comment.