7 Replies Latest reply on Jan 6, 2010 2:34 PM by jctech

    PUPS

    sthayden

      Is there any way to add a wildcard file name into the User-Defined section? I got an error when trying to do so and I was curious if there was another way. We got hit with the new SysGuard malware variant yesterday and neither VSE or Artemis is picking it up. The reason I want the wildcard is because it is changing its' name everytime I see it, for example, 2 of the different names I saw were mgwcsysguard.exe and sagssysguard.exe. There were other that I saw and manually cleaned, but I was hoping that I could add a *sysguard.exe wildcard or something so it will kill any file that is in that format from running. Also, this thing hit with Artemis on Medium and Very High, and with all PUPS Scan Items checked.

        • 1. Re: PUPS

          Within the OnAccess Scanner you can only add exclusions in the user defined section. So perhaps I'm misunderstanding.

           

          What you can do is using the Acces Protection option from the console. Use the User Defined Rules, create a new one, File Folder blocking. Here you can use wildcards.

           

          Hope this helps.

          • 2. Re: PUPS
            sthayden

            That was exactly what I was looking for, I didn't even think to put that in there. Hopefully that takes care of it because manually removing that thing was getting really time consuming. Thanks you!

            • 3. Re: PUPS
              nashcoop

              I have been experiencing the same issue since Christmas Eve with sysguard infections, and was wondering how I could create a wildcard blocking rule.  Thanks for the info.  More specifically, what would the wildcard be named?  Would *sysguard.exe work?

               

              Thanks

              • 4. Re: PUPS

                It doesn't matter how you put in the filename. What you mentioned is fine.

                 

                acooper wrote:

                 

                I have been experiencing the same issue since Christmas Eve with sysguard infections, and was wondering how I could create a wildcard blocking rule.  Thanks for the info.  More specifically, what would the wildcard be named?  Would *sysguard.exe work?

                 

                Thanks

                • 5. Re: PUPS

                  Is there a way to do this in EPO?

                  • 6. Re: PUPS
                    sthayden

                    Yes there is, and it works like a charm!

                     

                    Goto your Policy Catalog and under your VSE version, select Access Protection Policies. Click Edit on your active policy and once in there, click on User-Defined Rules and click New. Check File/Folder Blocking Rule once it comes up, Name your rule, in this field File or folder name to block: (Wildcards are allowed)  type in *sysguard.exe

                     

                    In the check boxes on the bottom, check all except Files being deleted

                     

                    This will stop the sysguard.exe file from even being created and if a computer is infected, it gets removed if you reboot the computer.

                    • 7. Re: PUPS

                      Awesome! Thanks!