0 Replies Latest reply on Apr 29, 2013 9:38 PM by mcafeenewb

    UDR Access Protection Rule to combat Fake Alert Malware

    mcafeenewb

      Hi All,

       

      I have been playing with some custom UDR's with Access Protection and found something I think may be usefull and felt it was worth sharing.  We have had a small challenge with "Fake Alert" since it typcally creates an exutable with in a subdirectory of C:\ProgramData.  We currently use other UDR's to protect from creation of .exe's & .dll's directly under the ProgramData directory but we cannot use the same logic for subdirectories, we would most likely get some false detections.  Here is what I have tried and feel it may work.

       

      User Defined Rule Name:           Prevent Fakey: **\ProgramData\*\*.exe

      Processes to include:                   *\Users\*\*.exe, *\Users\*\AppData\Local\Temp\*

      File or fildername to block:           **\ProgramData\*\*.exe

      File Actions to prevent:                  new files being created

       

       

      For testing purposes I had created an executable that would mimic FakeAlert and create an .exe within a subdirectory of ProgramData (C:\ProgramData\RandomFolderName\RandomFileName.EXE).

      So far I have tested this rule and it appears to work as designed.  If I run my fake malware from any directory outside of the "Processes to include" directories it will allow me to, if I attempt to run it from the top of my user profile folder or from with in the Temp folder it protects my system.

       

      Typically we have written UDR's to indicate which processes to exclude, but for this I felt it was more efficiant to flip the logic around and allow all except X,Y or Z.

       

      What does this prove you ask?  Well it proves that VSE offers the ability to manipulate creation of unknown files or file types in locations where those files or file types should not exist; or even better manage what can or cannot create files in certain areas.

       

      I encourage others to try this in their environment (report only of course).  The above example was written for Windows 7 folder structures but I am sure it can be easily modded for XP as well.