Yes, I am a frustrated security administrator. I've been a security admin for roughly 2 decades, but only frustrated recently......... browsing used to be safe, relatively speaking. Now, even visiting the mainstream news media sites can result in malware being installed. Even business related web sites, in our case, sites that cater to voc rehab, are either built by designers needing more money, or have been hacked.
And the rogue antivirus and security apps seem to be the vogue thing now. Because they aren't technically an application, and require no permissions to install, they are often installed as "browser helpers", their files being dropped in the user profile "application data' folder where the logged in user has full rights, regardless of their security level. When a browser helper launches, it can run scripts, perform downloads, countless other nasty things.
I was going crazy because our endpoint protection was letting these in left and right. Possibly in part because the files are ever-changing, and signature detection simply doesn't work on them. They appear friendly! They are a helper, after-all. Trusted, Microsoft wants your browsing experience to be SIMPLE, so they make it simple - for anyone and everyone that wants to help you!
I was at witts end when I started doing some real deep research. If these things get in by dropping DLL or HTM(L) files in the application date folder of the current user, why not monitor that, even block such access?
With SEP, that's pretty easy to do.
As with any new changes to SEP, be sure to run this in TEST MODE only, logging, not production! I sure am glad I did, or I would have blocked their signature files used in Outlook!
First, in your Symantec Endpoint Protection Manager console, navigate to your Application and Device control policy. Might be good to do this on a test group, even if you DO set this for "Test (log only" status.
In application control, add a rule set.
I named ours "Block bad BHOs"
Make it apply to all processes using the * in the upper dialog.
In the lower dialog, "Do not apply this rule to the following processes", I added C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE so that Word could use signature HTML files for Outlook email. Caught that in logging.
Next I added a condition - Load DLL attempts. I applied this to the following:
In the actions tab, I set to block, and checked enable logging.
That prevents any EXISTING malware helpers from loading, just in case they already exist in a large environment.
I went back under the initial rule set and added another condition:
~File and folder access attempts.~
I added the above lines to this condition, so that the DLL could not be created to begin with (the above prevents EXISTING DLLs from being loaded)
and I added the following to this one:
So the end result was this under File and Folder access attempts apply to these files and folders:
I added this line to the do not apply to the following files and folders:
%userprofile%\Application Data\Microsoft\Internet Explorer\desktop.htt
because it appears to do with active desktop that one user has enabled (still looking into this one but it seemed harmless)
Under the actions tab for File and Folder Access Attempts, for the create delete or write, I checked block, and enable logging.
Again, be sure to not put this into production until you have run it a while to look at the logs for things that it may block that you do NOT want blocked.
That's how I caught Word using the HTML files for Outlook signatures and excluded them, otherwise I'd have had a few angry users on my hands.
You can enable or configure logging or email alerts, etc. as you see fit, or as your enterprise needs/requires.
This is something I have only just put into place, and it's still in testing and being watched. I'm hopeful it may block some of these malware phony antivirus apps that sneak in under the guise of helper apps, then annoy the user with pop-ups and other nasties.
Any input? I'm all ears! Ideas, suggestions, or even if you tell me "that won't do anything", I'm listening, but PLEASE be prepared to tell me WHY.
(I've attached a sample DAT file (zipped) you will need your own extension, but simply watch the application control logs in the monitor area and you'll see what's being blocked if you need to add exclusions or exceptions)