cancel
Showing results for 
Search instead for 
Did you mean: 

Threat Advisories on W97M and Locky

Jump to solution

Hey guys,

yet another question regarding the two currently released TAs:

McAfee wants us to add some specific folders to the Access-Protection-Rules.

For Example for the W97M:

Processes to include: * - so all are included

File or foldername to block: c:\users\user\appdata\roaming\*.exe - think this won´t word as "user" is not specific. So i chose to user *\appdata\roaming\*.exe

I selected "Files being executed" and "New files being created".

BUT: Nothing is happening. I can create new files *.exe inside the roaming-folder as i like. I also tested the other solution from McAfee - nothing.

The same applied to the locky-TA. I ended up to not specify a folder here but say disallow all programs to create files with *.locky.

It this a known problem or am I missing something?

Regards

Dan

Best regards
Dan
1 Solution

Accepted Solutions

Re: Threat Advisories on W97M and Locky

Jump to solution

Hello,

try the follwoing:

**\Users\*\AppData\*\*.exe

for the given Rule and which VSE/EP do you use?

5 Replies

Re: Threat Advisories on W97M and Locky

Jump to solution

Hello,

try the follwoing:

**\Users\*\AppData\*\*.exe

for the given Rule and which VSE/EP do you use?

Re: Threat Advisories on W97M and Locky

Jump to solution

Hello,

we use VSE 8.8 P4.

I´ll give it a try today and report back.

But thinking about it twice, why would one only want to block the creation of *.locky-files from Appdata? Maybe the next locky.exe will hide somewhere else...

Best regards
Dan

Re: Threat Advisories on W97M and Locky

Jump to solution

Hello,

those "*.locky" files are only the result of the encryption and denying the creation (assumption->) will result in non-encrypted files I guess but denying the creation of the "encryption executable", the malware, in the userpath is the first protection. Many but not all malware writes an executable within the userpath so this rule is not only good for Locky but for a whole range of Malware and other unwanted programs.

greetings

Re: Threat Advisories on W97M and Locky

Jump to solution

Hey mate,

you were absolutely right with the path-declaration.

Can you explain why yours worked and mine not? What do the ** stars mean at the beginning?

Best regards

Dan

Best regards
Dan

Re: Threat Advisories on W97M and Locky

Jump to solution

Hello,

I would like you to have a look at this one: McAfee KnowledgeBase - How to use wildcards when creating exclusions in VirusScan Enterprise 8.x or ...

All your questions will be answered there and the english is a lot better than mine would be in this matter ;-)

greetings