Issue
- Configure additional ESET Remote Administrator (6.3 and later) Firewall rules to protect against Filecoder (ransomware) malware
Solution
With ESET default settings, ff malicious code with a dropper is executed, ESET Endpoint Security will prevent the download of the malware with the integrated Firewall.
To further help prevent ransomware malware on your Windows systems with ESET Endpoint Security, create the following additional policy rules in ESET Remote Administrator version 6.3 or later:
Do not adjust policies on production systems
The following policy settings are additional configurations and the specific settings needed for your security environment may vary. We recommend that you test the settings for each implementation in a test environment before using them in a production environment.
Open ESET Remote Administrator Web Console (ERA Web Console) in your web browser and log in. How do I open ERA Web Console?
- Click Admin → Policies, select the Agent policy being applied to your server(s) (your default parent policy) and then click Policies → Edit.
Alternatively, you can create a new policy in ESET Remote Administrator (6.x).
- Expand Settings → Personal Firewall and verify that Enable Botnet protection is enabled.
Click Edit next to Rules.
- In the Firewall rules window, click Add.
- Under the General tab, type the following rule name into the Name field:
Deny network connections for cmd.exe (native)
- Use the following configuration for the rule:
- From the Direction drop-down menu, select Both.
- From the Action drop-down menu, select Deny.
- From the Protocol drop-down menu, select Any.
- From the Profile drop-down menu, select Any profile.
Click the Local tab and in the Application field, type in the following file path:
C:\Windows\System32\cmd.exe
- Click OK, click Add, and then repeat steps 5 – 7 to create the following list of rules:
- Name: Deny network connections for cmd.exe (SysWOW64)
Application: C:\Windows\SysWOW64\cmd.exe - Name: Deny network connections for wscript.exe (native)
Application: C:\Windows\System32\wscript.exe - Name: Deny network connections for wscript.exe (SysWOW64)
Application: C:\Windows\SysWOW64\wscript.exe - Name Deny network connections for cscript.exe (native)
Application: C:\Windows\System32\cscript.exe - Name: Deny network connections for cscript.exe (SysWOW64)
Application: C:\Windows\Syswow64\cscript.exe - Name: Deny network connections for powershell.exe (native)
Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - Name: Deny network connections for powershell.exe (SysWOW64)
Application: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe - Name: Deny network connections for ntvdm.exe
Application: C:\Windows\System32\ntvdm.exe - Name: Deny network connections for regsvr.exe (native)
Application: C:\Windows\System32\regsvr.exe - Name: Deny network connections for regsvr.exe (SysWOW64)
Application: C:\Windows\SysWOW64\regsvr.exe - Name: Deny network connections for rundll32.exe (native)
Application: C:\Windows\System32\rundll32.exe - Name: Deny network connections for rundll32.exe (SysWOW64)
Application: C:\Windows\SysWOW64\rundll32.exe
- Click OK → Finish when you have finished adding all rules.