6 Replies Latest reply on May 17, 2011 12:09 AM by Attila Polinger

    ePO 4.5 - Prevent Common Programs from Running from Temp Folder

      Hi, I would like to know if setting a Block Rule on "Prevent Common Programs From Running from the Temp Folder" will cause any issue with normal execution of programs? Will this block cause common programs to display errors ?

       

      Also, I am on ePO 4.5 and up til now, I have not put a Block on this rule. I recently got a report from 3 users who claim they have a "TCP/IP protocol stack out of memory error" in their Lotus Notes.

       

      Upon investigating, I discovered that Access Protection Policy in VSE 8.8 has some issues. Here is a small capture of the info :

       

      5/11/2011          2:27:44 PM          Blocked by port blocking rule           C:\Documents and Settings\richard_tumaliuan\Application Data\winlogon.exe          Anti-virus Standard Protection:Prevent IRC communication          199.71.212.91:6667

      5/11/2011          2:28:00 PM          Blocked by Access Protection rule           STTP-SIN\richard_tumaliuan          C:\WINDOWS\Explorer.EXE          C:\Documents and Settings\richard_tumaliuan\Local Settings\Temp\is-NQ67V.tmp\7kra26ww.tmp          Common Standard Protection:Prevent common programs from running files from the Temp folder          Action blocked : Execute

      5/11/2011          2:28:49 PM          Blocked by port blocking rule           C:\Documents and Settings\richard_tumaliuan\Application Data\winlogon.exe          Anti-virus Standard Protection:Prevent IRC communication          199.71.212.91:6667

      5/11/2011          2:29:49 PM          Blocked by port blocking rule           C:\Documents and Settings\richard_tumaliuan\Application Data\winlogon.exe          Anti-virus Standard Protection:Prevent IRC communication          199.71.212.91:6667

      5/11/2011          2:30:49 PM          Blocked by port blocking rule           C:\Documents and Settings\richard_tumaliuan\Application Data\winlogon.exe          Anti-virus Standard Protection:Prevent IRC communication          199.71.212.91:6667

      5/11/2011          2:31:54 PM          Blocked by port blocking rule           C:\Documents and Settings\richard_tumaliuan\Application Data\winlogon.exe          Anti-virus Standard Protection:Prevent IRC communication          199.71.212.91:6667

       

      Something is trying to use IRC to contact 199.71.212.91:6667 every minute. In addition, Access Protection did not block an execute rule from temp folder for kra26ww.tmp. This file is random. And I couldn't find the file in the temp folder as well.

       

      Would it be advisable to just enable Block for this rule?

       

      Also, VSE8.8 ran a Full Scan every week once, but it couldn't find any viruses or malware.

       

      I have to use Malwarebytes to capture some of the trojans that is causing this problem.

        • 1. Re: ePO 4.5 - Prevent Common Programs from Running from Temp Folder
          Attila Polinger

          Hi,

           

          I would like to know if setting a Block Rule on "Prevent Common Programs From Running from the Temp Folder" will cause any issue with normal execution of programs? Will this block cause common programs to display errors

           

          I would say this rule would block all software installations that uses the Temp folder to decompress its work files from starting actual installer file. Accordingly, their installers will complain.

           

          As for the other problem of yours: it is very likely to me that there is a trojan on that 3 computers of yours, because of these: very frequent attempts to use the port and by two executables, under which trojans love to hide. To prevent trojans from hiding under these executables, use "Prevent programs registering to autorun" rule with block and notify option.

           

          Would it be advisable to just enable Block for this rule?

           

          If you mean to use the rule preventing Temp folder usage to run programs, my answer would be "it depends".

           

          I would say you have a downloader which is trying to contact its server to download the most recent copy of the trojan. Perhaps you should use Artemis in VSE 8.8 on demand scan, set to higher levels to detect this downloader.

           

          In addition, Access Protection did not block an execute rule from temp folder for kra26ww.tmp

           

          Perhaps because the process that created it is in the Exclude list on the rule in question.

           

          Attila

          • 2. Re: ePO 4.5 - Prevent Common Programs from Running from Temp Folder

            Hi Attila, thanks for the reply. I have set the settings according to your advise.

             

            Which level would you advise setting the Artemis (under OnDemand Scan) to? Currently, its set at Very Low.

             

            In addition, is it advisable to increase the Artemis level on On-Access Scanner as well?

             

            Hopefully, you can advise setting the Artemis at a level in which it is easy enough to catch these trojans and at the same time, without decreasing user system's performance.

             

            Thank you.

            • 3. Re: ePO 4.5 - Prevent Common Programs from Running from Temp Folder
              Sailendra Pamidi

              For Artemis / Global Threat Intelligence settings, you may want to refer to the VSE 8.8 Best Practices Guide Page 11 - Configuring Artemis. (PD22940 in the Knowledge Base).

              1 of 1 people found this helpful
              • 4. Re: ePO 4.5 - Prevent Common Programs from Running from Temp Folder
                Attila Polinger

                Hi Weak_pig,

                 

                I find it beneficial to raise Artemis in ODS in Medium level (we do). We use Artemis on Low level in OAS.

                 

                Artemis is in my opinion not decreases performance, because this is a DNS reverse lookup for file hashes which files were considered suspicious by heuristics. So there are several preconditions until Artemis actually triggers (heuristics turned on, set to file heuristics and a file should be deemed "suspicious" by the heuristics).

                 

                Usually what I see is that on Low it detects many key generator files (that is, I assume "key generator" nature found in a file is more commonly suspicious and falls into the mass hash collection under "Low" category at Artemis server).

                 

                Attila

                • 5. Re: ePO 4.5 - Prevent Common Programs from Running from Temp Folder

                  great then! I will follow your advise. Thanks for Attila and Sailendra's help!

                  • 6. Re: ePO 4.5 - Prevent Common Programs from Running from Temp Folder
                    Attila Polinger

                    Hi,

                     

                    one more thing for you to consider: McAfee has released GTI proxy for free. This proxies Artemis lookups so clients won't need to go to the internet. You can install as many proxies as you like, and with ePO send clients proxy information. clients will turn to these proxies first when doing Artemis lookups.

                    This proxy is a virtual machine image.

                     

                    Attia