Endpoint Protection

 View Only
Back to Library

Defeat Powerware Using SEP Application Control Policies 

Mar 31, 2016 06:09 PM

Starting about a week ago, PowerWare ransomware began to propagate in email campaigns using Word documents laced with macros.  PowerWare works by launching cmd.exe via macros contained within the infected Microsoft Word document.  The resulting cmd.exe process in turn calls PowerShell to perform encryption of the files.

PowerWare is a “fileless” malware variant so protection technologies that rely on file signatures or static attributes of executable files have difficulty protecting against this threat.  In the case of PowerWare, opening a Word document and enabling macros can lead to your files being encrypted and held for ransom by the attackers.  This is decidedly bad for business!

Fortunately, Symantec Endpoint Protection (SEP) customers can use some of the granular controls contained in our product to protect against these types of threats.  In particular, the Application Control feature of SEP can be used to provide much stronger controls.  As such, we created an Application Control policy to protect against PowerWare and other similar malware that provides two major safeguards.  

First, we prevent processes such as Microsoft Word, Excel, PowerPoint, etc. from launching cmd.exe and/or powershell.exe directly from within these applications.  Preventing cmd.exe and powershell.exe from being directly launched by applications such as Microsoft Word attacks the tactics exhibited by the malware.  There are extremely few, if any, valid business reasons to allow cmd.exe and powershell.exe process launch activity from within Microsoft Word and the other monitored applications.  Hence, any impacts to generic end user workstations should be noted in testing and handled as exceptions. 

Secondly, we prevent the monitored Microsoft applications from being able to tamper with cmd.exe or powershell.exe.  This prevents future variants of the malware from simply making a copy of cmd.exe or powershell.exe and then launching the copy of those programs.  While we have not seen this behavior exhibited so far, it does not require much imagination to see that this would be a technique for bypassing the previously discussed controls around process launches from within the monitored applications.  

The attached Application and Device control policy contains two rules to implement the controls described above.  They can be viewed after importing the attached sample policy and are shown in the illustration below.  

PowerWare Policy.png

 

Optionally, as an additional measure, Symantec also provides an Application Control rule set to prevent vulnerable Windows processes including Outlook, Excel, Word and others from being able to write executable files to disk.  This rule set is named  “Prevent vulnerable Windows processes from writing code [AC17]”.  While enabling this rule set can provide a strong additional control that may prove useful in preventing endpoint compromise, it is not enabled in the sample policy. 

When importing the sample policy, be sure to set the new rule sets to "Test/Log" mode and monitor the results via the SEP Manager to ensure that you do not create a negative business impact.

Statistics
0 Favorited
1 Views
1 Files
0 Shares
0 Downloads
Attachment(s)
zip file
Application and Device Control Policy - Anti-PowerWare.dat_.zip   24 KB   1 version
Uploaded - Apr 10, 2020
 
Download

Tags and Keywords

Comments

Migration User
Jul 26, 2017 03:51 AM

Hi Lamar,

In order to identify which spreadsheets or word documents caused the alerts, any ways to configure the rules or conditions to show the file names? From the logging, I can only see the executable like EXCEL.xls, etc.

 

Regards,

Andrew

Jesse.Cail
Jul 06, 2016 02:56 PM

We use Nitro, and I plan on trying it against that as well.  I'll check with their support before implementing, and report any significant findings back to the group.  Have you expanded your policy to include any other PDF readers?

Jesse.Cail
Jul 06, 2016 02:54 PM

Thanks for the share - I'm rolling this out today.  I'll post any significant events back to the thread. Additionally, is there any reason why notepad or calculator couldn't be included in this policy?

Sulman Mushtaq Mushtaq Hussain
Jun 19, 2016 04:52 AM

Anyone using this policy in their production ? How effective is it? Appreciate your feedbacks? Thanks

NateUT
Jun 03, 2016 09:00 AM

We've had this implemented since mid-April and haven't experienced many adverse effects (some Excel macros had issues but they were typically easy to resolve). Has anyone tested adding other common PDF readers to this policy (ex. Foxit Reader)?

Migration User
Apr 08, 2016 02:00 PM

For the reasons described above.

NateUT
Apr 08, 2016 01:17 PM

Hi Lamar - 

Thanks for providing this explaination!

Nate

Migration User
Apr 08, 2016 11:40 AM

Nate,

Thanks for your question!  You are actually using the right version of the policy.  I had originally included outlook.exe in the list of monitored processes, but you don't really need it to protect against this threat as the programs that are actually being launched are things like Word.  By monitoring Word, etc., and their sub-processes, you are getting the benefit you want. 

Why?  Well, that's quite a story...  I would have liked to have been able to leave Outlook in the list, but took it out after I noticed some unexpected behavior.  As it turns out, if you monitor Outlook and the processes created by Outlook, you end up applying the rules to things like the default web browser when someone clicks on a link in Outlook.  Browsers like Chrome for some reason tend to call cmd.exe on startup.  There are also some Firefox plugins that do this as well.  Hence, it is false positive prone. 

Sorry for the confusion.  Hope this helps! 

Regards,

Lamar

ℬrίαη
Apr 08, 2016 10:23 AM

Checked again and Outlook is included. Along with :

  • Word
  • Excel
  • Powerpoint
  • Adobe*
  • Acro*

 

So I'm not sure why yours doesn't have it. 

NateUT
Apr 08, 2016 10:19 AM

Is there a reason it wasn't included by default? Thinking about it a little more, I think I understand that by applying it to the programs that are typically sent in phishing emails as attachments (Word, PowerPoint, Excel), we're actually getting the intended benefit.

ℬrίαη
Apr 08, 2016 09:58 AM

Maybe Outlook wasn't included. You'll need to manually add it.
 

NateUT
Apr 08, 2016 09:56 AM

Hello -

I downloaded the policies and imported into my SEPM, but I noticed that outlook.exe is not included in the list of processes to apply to in the “Prevent Certain Process Launch Attempts from within Outlook, Word, etc.” and “Protect integrity of CMD.EXE and POWERSHELL.EXE". Was this an oversight, or am I potentially using an older version of the policy?

Viktor Guba
Apr 01, 2016 03:03 PM

Hi,

Nice share, Thank's!

Related Entries and Links

No Related Resource entered.