Use SEP application control to block these:
Updated: 26 Sep 2010 | 4 comments
(see my article on using SEP app control to block bad BHOs and fake AV apps)
Here are some paths that a SINGLE threat attempted to exploit - this is a common one:
This is part of my policy here - I NOW block this since it was successful in getting in to this area - I'd left a hole...........
%userprofile%\templates\*.exe
Check these log entries below to see all the ways this one threat was trying to get in!
------------------------------------
Attempt #1:
|
Caller Process Name:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
|
|
Target:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Application Data/av.exe
|
|
User name:
|
|
----------------------------------------------------------
Attempt #2
|
Caller Process Name:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
|
|
Target:
|
C:/Documents and Settings/Jami.Schwickerath/Templates/av.exe
|
|
User name:
|
|
----------------------------------------------------
Attempt #3
|
Caller Process Name:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
|
|
Target:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Application Data/mtg/mtg.exe
|
|
User name:
|
|
------------------------------------------------------
Attempt #4
|
Caller Process Name:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
|
|
Target:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Application Data/mtg/MSASCui.exe
|
|
User name:
|
|
-----------------------------------------------------
Attempt #5
|
Caller Process Name:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
|
|
Target:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Application Data/mtg/av.exe
|
|
User name:
|
|
--------------------------------------------------
Attempt #6
|
Caller Process Name:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
|
|
Target:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Application Data/Microsoft/Windows Defender/mtg.exe
|
|
User name:
|
|
-----------------------------------------------------
Attempt #7
|
Caller Process Name:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
|
|
Target:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Application Data/Microsoft/Windows Defender/MSASCui.exe
|
|
User name:
|
|
--------------------------------------------------------
Attempt #8
|
Caller Process Name:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
|
|
Target:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Application Data/Microsoft/Windows Defender/av.exe
|
|
User name:
|
|
-------------------------------------------------------
Attempt #9
|
Caller Process Name:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
|
|
Target:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Application Data/mtg.exe
|
|
User name:
|
|
---------------------------------------------------------------
Attempt #10
|
Caller Process Name:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
|
|
Target:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Application Data/MSASCui.exe
|
|
User name:
|
|
--------------------------------------------------------------------
discussion Filed Under:
Comments
Nice analysis of the
Nice analysis of the logs.
Aniket
Thanks for sharing, certainly
Thanks for sharing, certainly will be a big help.
Endpoint Knowledge Base
Security Best Practices
In our most secure areas, we
In our most secure areas, we let nothing run from any part of the user's profile! This would be why.
Eric C. Lukens IT Security Policy and Risk Assessment Analyst University of Northern Iowa
My article on using SEP's
My article on using SEP's application control basically blocks nearly everything from running under user profile areas. I have a group that does allow things, if an install is needed, we move PC to that group, run the install, then move it back.
If it's a mass need, I create a specific exclusion.
It irritates some, but we've cut down big on the rogue av and such.............
My sites - http://theamcpages.com & http://antique-engines.com
Toy:
Shadow:
Would you like to reply?
Login or Register to post your comment.