In order for people to obtain cryptocurrency without purchasing it, the currency needs to be mined. Mining uses the processing power of a computer to solve mathematical problems with hashing functions to mine “coins.”
Obviously, having computers running cryptominers becomes a problem when people within and outside of your organization are using your systems without your knowledge. Mining can impact your business processes and electricity bills.
How can Cb Protection Help?
Customers with their endpoints running Cb Protection in High Enforcement will likely be protected from the majority of cryptoming processes. But for added protection or for those endpoints that have not yet moved to High Enforcement (or are not planned for High Enforcement), the Cryptoming Rapid Config can help.
Rapid Config Details
The Cryptomining Rapid Config focuses on blocking or reporting on executables and command lines matching specific parameters.
As with most Rapid Configs you can choose to Do Nothing, Report, or Block the items or behaviors in the section. This Rapid Config consists of a single section which defaults to reporting on Cryptomining file executions.
In the process of researching Cryptominers our Threat Research team determined that the majority of these executables had the following filenames or paths:
You might be wondering why taskhost.exe is on that list. While taskhost.exe is a Windows process, it’s doesn’t reside in the Windows directory, the legit taskhost.exe location is in the system32 directory. So if taskhost.exe is running out of the Windows directory, it is likely a malicious file.
If you are getting blocks or reports on legitimate files because of this list of executables, you can add exceptions. For example, if you have an internally developed application that resides at C:\Program Files\MyBiz\streamer\ and it is getting blocked, you could add the application name to the exception list like *\streamer\myapp.exe.
There are several common parameters that are used by cryptoming tools when they are launched. These commands are:
Using the cmdline macro, the Cb Protection Windows agent can look for any of these parameters when an executable is launched. If it sees any process launching with any of these parameters, the process will be terminated.
Just like with the executables you can add exceptions to this list. For example, if you have an executable called myapp.exe that uses a -cpu-affinity parameter, you can exclude your application from being blocked or reported on by adding this <cmdline:*-cpu-affinity*>myapp.exe in the Command Lines That Should Not Be Reported area.