0 Replies Latest reply on Jan 2, 2015 9:52 AM by nintendo1889

    Block ElDos RawDisk Drivers (Used In DarkSeoul, Shamoon, Trojan-Wiper, Destover)


      I've added a rule to block the destover malware, that was used in the Sony trojan wiper malware.


      • Add a custom rule => Block file creation => elrawdsk*.*
      • Process: *
      • File actions to prevent: Write access to files (not necessary, but I'd leave it in for good measure, in case something gets past the next two rules)
      • Files being executed
      • New files being created


      This is in addition to the rules in PD25630. In our experience, the rule on page three, "Prevent remote creation/modification of executable and configuration files", can cause conflicts with advanced domain login scripts that run programs and batch files which exist on network shares. Also we are managing many different customer environments, many of which have their own custom http/ftp blocking rules (access protection, common maximum protection, prevent ftp, http communication). We can't create one single http/ftp rule list for all customers as we have tried this before and have reached the limit of the "processes to exclude" rules that we can add.


      Here's some more background information from a japanese site:

      http://translate.google.com/translate?hl=en&sl=ja&u=http://d.hatena.ne.jp/Kango/ 20141228/1419787781&prev=search


      This site is clean: