Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

How to use SEP to protect against rogue "browser helpers"

Created: 13 Apr 2009 • Updated: 11 Feb 2010 | 26 comments
Language Translations
ShadowsPapa's picture
+21 21 Votes
Login to vote

Yes, I am a frustrated security administrator. I've been a security admin for roughly 2 decades, but only frustrated recently......... browsing used to be safe, relatively speaking. Now, even visiting the mainstream news media sites can result in malware being installed. Even business related web sites, in our case, sites that cater to voc rehab, are either built by designers needing more money, or have been hacked.
And the rogue antivirus and security apps seem to be the vogue thing now. Because they aren't technically an application, and require no permissions to install, they are often installed as "browser helpers", their files being dropped in the user profile "application data' folder where the logged in user has full rights, regardless of their security level. When a browser helper launches, it can run scripts, perform downloads, countless other nasty things.
I was going crazy because our endpoint protection was letting these in left and right.  Possibly in part because the files are ever-changing, and signature detection simply doesn't work on them. They appear friendly! They are a helper, after-all. Trusted, Microsoft wants your browsing experience to be SIMPLE, so they make it simple - for anyone and everyone that wants to help you!
I was at witts end when I started doing some real deep research. If these things get in by dropping DLL or HTM(L) files in the application date folder of the current user, why not monitor that, even block such access?
With SEP, that's pretty easy to do.
As with any new changes to SEP, be sure to run this in TEST MODE only, logging, not production! I sure am glad I did, or I would have blocked their signature files used in Outlook!

First, in your Symantec Endpoint Protection Manager console, navigate to your Application and Device control policy. Might be good to do this on a test group, even if you DO set  this for "Test (log only" status.
In application control, add a rule set.
I named ours "Block bad BHOs"
Make it apply to all processes using the * in the upper dialog.
In the lower dialog, "Do not apply this rule to the following processes", I added C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE  so that Word could use signature HTML files for Outlook email. Caught that in logging.

Next I added a condition - Load DLL attempts. I applied this to the following:
%userprofile%\application data\*.dll
%userprofile%\application data\*\*.dll
In the actions tab, I set to block, and checked enable logging.
That prevents any EXISTING malware helpers from loading, just in case they already exist in a large environment.

I went back under the initial rule set and added another condition:
~File and folder access attempts.~
I added the above lines to this condition, so that the DLL could not be created to begin with (the above prevents EXISTING DLLs from being loaded)
and I added the following to this one:
%userprofile%\application data\*.ht*
%userprofile%\application data\*\*.ht*

So the end result was this under File and Folder access attempts apply to these files and folders:
%userprofile%\application data\*.ht*
%userprofile%\application data\*\*.ht*
%userprofile%\application data\*.dll
%userprofile%\application data\*\*dll

I added this line to the do not apply to the following files and folders:
%userprofile%\Application Data\Microsoft\Internet Explorer\desktop.htt
because it appears to do with active desktop that one user has enabled (still looking into this one but it seemed harmless)

Under the actions tab for File and Folder Access Attempts, for the create delete or write, I checked block, and enable logging.

Again, be sure to not put this into production until you have run it a while to look at the logs for things that it may block that you do NOT want blocked.
That's how I caught Word using the HTML files for Outlook signatures and excluded them, otherwise I'd have had a few angry users on my hands.
You can enable or configure logging or email alerts, etc. as you see fit, or as your enterprise needs/requires.
This is something I have only just put into place, and it's still in testing and being watched. I'm hopeful it may block some of these malware phony antivirus apps that sneak in under the guise of helper apps, then annoy the user with pop-ups and other nasties.

Any input? I'm all ears! Ideas, suggestions, or even if you tell me "that won't do anything", I'm listening, but PLEASE be prepared to tell me WHY.
Thanks

(I've attached a sample DAT file (zipped) you will need your own extension, but simply watch the application control logs in the monitor area and you'll see what's being blocked if you need to add exclusions or exceptions)

Comments 26 CommentsJump to latest comment

Hear4U's picture

"Browser helpers" seem to be creeping up quite a bit these days - this article, from one of our trusted advisors, can help you utilize SEP to decrease/eliminate this problem.

Eric

check out the community at www.infoblox.com/community

0
Login to vote
ShadowsPapa's picture

I would like to add again - WATCH the logs closely ...... I caught another needed exclusion - that's why you should run in log mode - or test mode, not production for a few days.
I believe this one would allow such things as sharing USB printers among networked computers, like we do in a few offices - add this as an exclusion:

C:\Documents and Settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

The above is a valid Microsoft Windows file used in universal plug and play.
WMP prior to 11 used this for network file sharing, etc. but printers seem to also use it if shared.
As Eric mentioned - browser helpers are a commonly used "method" of getting fake AV and other bugs in because it requires no special permissions and can be run from your own profile area - something any logged in user has permissions to just to be able to run software.  I've seen 3 of them in the last 2 weeks or so. The latest SEP prevented from doing damage, but this will prevent the files from being created to begin with.

+6
Login to vote
dpease's picture

I am planning on talking with our security team about it this afternoon.

Thank you

0
Login to vote
Peter_007's picture

Article was bit informitive.

0
Login to vote
Symantec World's picture

Very useful article.

Regards, M.R

0
Login to vote
Symantec Tech's picture

Yes, I am a frustrated Support engineer . I've been a Support engineer for roughly 2 decades, but only frustrated recently......... browsing used to be safe, relatively speaking. Now, even visiting the mainstream news media sites can result in malware being installed. Even business related web sites, in our case, sites that cater to voc rehab, are either built by designers needing more money, And the rogue antivirus and security apps seem to be the vogue thing now. Because they aren't technically an application, and require no permissions to install, they are often installed as "browser helpers", their files being dropped in the user profile "application data' folder where the logged in user has full rights, regardless of their security level. When a browser helper launches, it can run scripts, perform downloads, countless other nasty things were going crazy because our endpoint protection was letting these in left and right. Possibly in part because the files are ever-changing, and signature detection simply doesn't work on them. They appear friendly! They are a helper, after-all. Trusted, Microsoft wants your browsing experience to be SIMPLE, so they make it simple - for anyone and everyone that wants to help you!  I would like to add again - WATCH the logs closely . believe this one would allow such things as sharing USB printers among networked computers, like we do in a few offices - add this as an exclusion:

C:\Documents and Settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

The above is a valid Microsoft Windows file used in universal plug and play.
WMP prior to 11 used this for network file sharing, etc. but printers seem to also use it if shared.

0
Login to vote
Tejas Shah's picture

wow....after a long time i have really seen an post which really gives a pro-active approace in defending a might-be problem.

0
Login to vote
susanthas-123's picture

The article is really good. This feature has been in the SEPM but only lacking party to go active with this is usability. Execution of this requires careful planning and May takes months to test and then apply to the production environment. But never the less I have to agree once applied it's pretty hard to break until you apply a service pack or a security updates because it's gonna change the signatures as well.

+1
Login to vote
Nel Ramos's picture

This is one of the good articles I had read.
Hope to hear more soon ShadowsPapa.

Just a feedback though.
Browser helpers are being tagged as Spyware by Microsoft AntiSpyware, and malware or browser hijacker by some others, such as Panda Antivirus.

One example is the Yahoo! Assistant, formerly named 3721 Internet Assistant, is a Browser Helper that is tagged as Spyware. It is coming from  a reputable site though.

Just my thoughts.

Nel Ramos

 

Nel Ramos

0
Login to vote
skjordansk's picture

full of information! Good write Papa!

0
Login to vote
Tejas Shah's picture

One tip page from symantec which shall help many...

http://service1.symantec.com/SUPPORT/ent-security....

0
Login to vote
Int3rn3t's picture

Thats very informative and helpful.Will these settings also help to stop fake AV's getting installed ?

0
Login to vote
ShadowsPapa's picture

Yes - in fact, I've even tightened things up a bit more, preventing EXEs from being created, etc.
In fact, I was able to stop a fake AV last week when 2 users hit www.yahoo.com and did searches. They saw a viagra ad and immediately an EXE was targeting SEP's LU files, so I decided - block EXE creation. It's more of a pain, but I figure if our users have a LEGIT application that needs to load and run, I'll just create an exclusion. Otherwise, as far as I'm concerned, any EXE in the user profile does not belong and will be blocked.
Such "infections" have dropped quite a bit. The fake AV apps often install and get run as a phony BHO - browser helper object....... that's how they get in, and what launches them. You start IE and you start the phony BHO as well.

+2
Login to vote
Vikram Kumar-SAV to SEP's picture

 This is really a good article..n will help keeping our systems safe from any kind of threat that come via browser..but this policy needs to be fine tuned as shadowspapa said to allow your apps, if they go there..

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

0
Login to vote
Frosty's picture

I tried downloading the ZIP, extracted the .DAT file and tried Import Policy ... but nothing happens ... no error, no new policy created.  Any thoughts?  I am running v11.0.5

0
Login to vote
Frosty's picture

Decided to leave it overnight, came back to it today, ran the Import again ... and it worked ... I have no idea why?! ... but I am off and running!

0
Login to vote
ShadowsPapa's picture

I'm attaching 2 new files - I think one is just the rogue AV and BHO part, the other I believe is the entire application control part.
I'm not sure if that's how these export or not, but one is twice the size of the other, so I must assume the smaller is the subset I have just for the rogue AV and browserhelpers.
They are messy, but should give indications of the possibilities.
I wish I could sit down with an expert and fine-tune these and clean them up!

0
Login to vote
Knottyropes's picture

Well after dealing with this too many times this week, I am trying it out.

I imported the larger one and used only the BHO and ALOT tool bar part.
Next will have to figure out the logging part after running it for a few days.

Thanks for sharing this.

0
Login to vote
RickJDS's picture

Thanks ShadowsPapa it's been a while since I've been here and look forward to implementing this.  FakeAV is a pain to deal with.  I'm ready for this solution.  Been extremely busy implementing VOIP replacement for 300 phones and virtualizing servers and desktops for a new facility.  I hope I can start contributing again soon.

0
Login to vote
Andy Scott's picture

Appreciate the article. I read this when it was first posted, and pleased to see an update.
I'm too perservering with trying to really get into the nuts and bolts of Application and Device Control, but I'm finding a lack of examples and documentation around the extensive benefits we can gain through using it.
I'm managing a SEPM with over 13,000 endpoints - although the BHO is a very helpful example/reference point, It gets very complicated quickly, with this many clients running various software and OS versions.  One issue i'm running into is performance, and the need to create so many exceptions for different executables, that seem to grind to a halt with these policies. I'm also finding I'm adding excluded processes under "Do not apply this rule to the following processes" however they don't seem to apply. One example below:

13:32:10 Block Default
wctestws01
testt Major Block UserProfile .dll Creation_Write File C:/Program Files/Macromedia/Fireworks MX 2004/Fireworks.exe C:/Documents and Settings/testt/Application Data/Macromedia/Fireworks MX 2004/Project_Log.htm

I've tried adding it using wildcards, full path, and even to the Centralised Exceptons as a tamper exclusion, but to no avail.
Any ideas?

I'd love a workshop on working souly in this section of SEPM, as it's very powerful.

Keep up the good work

Regards,
Andrew

0
Login to vote
postechgeek's picture

Interesting, that I can't seem to get the application policy to work. I copied over a test.dll file to %userprofile%\application data\ directory without any problem. I have the latested policy. Any ideas?

Mike

0
Login to vote
Tomek1201's picture

I had that same problem. I called Symantec support and they instructed me to install all features of SEP client. (I only had AV and PTP installed) Once that was installed it started blocking applications. 

0
Login to vote
jeffwichman's picture

Been away for awhile and this has to be one of the best security articles for SEP I've ever come across. Awesome work Shadowspapa!

0
Login to vote
Koz's picture

Testing this now, very well written article.

Thank you,
Andrew

0
Login to vote
UnmanagedPerson's picture

Fantastic, very informative. I'm a big SAV fan now geeting ready to do my first SEPM production. I've been living in an unmanaged world so far.
Thanks

0
Login to vote