cancel
Showing results for 
Search instead for 
Did you mean: 
iwray
Level 7
Report Inappropriate Content
Message 1 of 8

HIPs configuration for Cryptolocker

(view in My Videos)
HIPs configuration to prevent Cryptolocker payload

7 Replies

Re: HIPs configuration for Cryptolocker

I'm not getting sound with this video- is there sound?

Re: HIPs configuration for Cryptolocker

hi

don´t work the rule , appear a sintaxys error

this is my rule:

Rule {

tag "bloqueo escritura cryptolocker y Cryptowall"

Class Files

Id 4001

level 4

files

{Include "*\\*odt" "*\\*.ods" "*\\*.odp" "*\\*.odm" "*\\*.odc" "*\\*.odb" "*\\*.doc" "*\\*.docx" "*\\*.ocm" "*\\*.wps" "*\\*.xls" "*\\*.xlsx" "*\\*.xlsm" "*\\*.xlsb" "*\\*.xlk" "*\\*.ppt" "*\\*.pptx" "*\\*.pptm" "*\\*.mdb" "*\\*.accdb" "*\\*.pst" "*\\*.dwg" "*\\*.dxf" "*\\*.dxg" "*\\*.wpd" "*\\*.rtf" "*\\*.wb2" "*\\*.mdf" "*\\*.dbf" "*\\*.psd" "*\\*.pdd" "*\\*.pdf" "*\\*.eps" "*\\*.ai" "*\\*.indd" "*\\*.cdr" "*\\*.jpe" "*\\*.jpg" "*\\*.dng" "*\\*.3fr" "*\\*.arw" "*\\*.srf" "*\\*.sr2" "*\\*.bay" "*\\*.crw" "*\\*.cr2" "*\\*dcr" "*\\*kdc" "*\\*erf" "*\\*mef" "*\\*mrw" "*\\*nef" "*\\*nrw" "*\\*orf" "*\\*raf" "*\\*raw" "*\\*rwl" "*\\*rw2" "*\\*r3d" "*\\*ptx" "*\\*pef" "*\\*srw" "*\\*.x3f" "*\\*.der" "*\\*.cer" "*\\*.crt" "*\\*.pem" "*\\*.pfx" "*\\*.p12" "*\\*.p7b" "*\\*.p7c"}

Executable {Include "*"}

user_name {Include "*"}

directives files:write files:rename files:delete

}

This is the error

++++++++++

tag::bloqueo escritura cryptolocker y Cryptowall::Failed

::::Failed

++++++++++

************

Rule {

tag "bloqueo escritura cryptolocker y Cryptowall"

Class Files

Id 4001

level 4

files

{Include "*\\*odt" "*\\*.ods" "*\\*.odp" "*\\*.odm" "*\\*.odc" "*\\*.odb" "*\\*.doc" "*\\*.docx" "*\\*.ocm" "*\\*.wps" "*\\*.xls" "*\\*.xlsx" "*\\*.xlsm" "*\\*.xlsb" "*\\*.xlk" "*\\*.ppt" "*\\*.pptx" "*\\*.pptm" "*\\*.mdb" "*\\*.accdb" "*\\*.pst" "*\\*.dwg" "*\\*.dxf" "*\\*.dxg" "*\\*.wpd" "*\\*.rtf" "*\\*.wb2" "*\\*.mdf" "*\\*.dbf" "*\\*.psd" "*\\*.pdd" "*\\*.pdf" "*\\*.eps" "*\\*.ai" "*\\*.indd" "*\\*.cdr" "*\\*.jpe" "*\\*.jpg" "*\\*.dng" "*\\*.3fr" "*\\*.arw" "*\\*.srf" "*\\*.sr2" "*\\*.bay" "*\\*.crw" "*\\*.cr2" "*\\*dcr" "*\\*kdc" "*\\*erf" "*\\*mef" "*\\*mrw" "*\\*nef" "*\\*nrw" "*\\*orf" "*\\*raf" "*\\*raw" "*\\*rwl" "*\\*rw2" "*\\*r3d" "*\\*ptx" "*\\*pef" "*\\*srw" "*\\*.x3f" "*\\*.der" "*\\*.cer" "*\\*.crt" "*\\*.pem" "*\\*.pfx" "*\\*.p12" "*\\*.p7b" "*\\*.p7c" }

Executable {Include "*"}

user_name {Include "*"}

directives files:write files:rename files:delete

}

ERROR: Invalid command name "Include "*\\*odt" "*\\*.ods" "*\\*.odp" "*\\*.odm" "*\\*.odc" "*\\*.odb" "*\\*.doc" "*\\*.docx" "*\\*.ocm" "*\\*.wps" "*\\*.xls" "*\\*.xlsx" "*\\*.xlsm" "*\\*.xlsb" "*\\*.xlk" "*\\*.ppt" "*\\*.pptx" "*\\*.pptm" "*\\*.mdb" "*\\*.accdb" "*\\*.pst" "*\\*.dwg" "*\\*.dxf" "*\\*.dxg" "*\\*.wpd" "*\\*.rtf" "*\\*.wb2" "*\\*.mdf" "*\\*.dbf" "*\\*.psd" "*\\*.pdd" "*\\*.pdf" "*\\*.eps" "*\\*.ai" "*\\*.indd" "*\\*.cdr" "*\\*.jpe" "*\\*.jpg" "*\\*.dng" "*\\*.3fr" "*\\*.arw" "*\\*.srf" "*\\*.sr2" "*\\*.bay" "*\\*.crw" "*\\*.cr2" "*\\*dcr" "*\\*kdc" "*\\*erf" "*\\*mef" "*\\*mrw" "*\\*nef" "*\\*nrw" "*\\*orf" "*\\*raf" "*\\*raw" "*\\*rwl" "*\\*rw2" "*\\*r3d" "*\\*ptx" "*\\*pef" "*\\*srw" "*\\*.x3f" "*\\*.der" "*\\*.cer" "*\\*.crt" "*\\*.pem" "*\\*.pfx" "*\\*.p12" "*\\*.p7b" "*\\*.p7c" "

REMOVED

************

can you help me?

thanks

iwray
Level 7
Report Inappropriate Content
Message 4 of 8

Re: HIPs configuration for Cryptolocker

There is txt file that can be used with the rule here:

Re: HIPs configuration for Cryptolocker

thanks iwaray for you help

Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 6 of 8

Re: HIPs configuration for Cryptolocker

Hi all,

has anyone testet this with HIPS 8.0 (latest patches), VSE 8.8 P4 (latest Pachtes, also DXL) and Agent 5.0 with EPO 5.1.1??

Anything looks fine, but i do not get any event.

Cheers

Re: HIPs configuration for Cryptolocker

Hi, I cannot find the policy  Custom_TrustedApplicationList in my ePO so I cant make changes related to Adding Trusted Application based on Signer.

Is there any especific verison of HIPs package or extension containing that policy?

Re: HIPs configuration for Cryptolocker

No specific version is required. Ensure that you create a new Trusted Application policy (which you can name Custom_TrustedApplicationList).HIPS-Custom_TrustedApplicationList.PNG

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community