We’re migrating product documentation to docs.vmware.com, starting with Carbon Black Cloud. Learn more.

Windows Installer Embedded File Protection Rapid Config

Windows Installer Embedded File Protection Rapid Config

What are Embedded MSI files?

Recently, our threat team posted about a feature in Windows that when abused could lead to unauthorized code execution bypassing code signing checks.  This is done by appending malicious jar files to msi files.

To read more about what our threat team found, please see this UeX post.

 

How can CB Protection help?

The Windows Installer Embedded File Protection Rapid Config focuses on blocking or reporting jar files that are appended to msi files and other related Microsoft installer formats.

 

Requirements

The java.exe script rule needs to be enabled.

CB Protection Server version 8.0 Patch 7 and above.

If you are running a version of Cb Protection Server 8.0 prior to 8.0.Patch 7 you are able to import a rule to provide this coverage.  You should follow the instructions in this link.  There is no support for versions prior to 8.X.

If your environment prevents you from receiving this Rapid Config via the CDC please contact support for instructions for manual installation.

 

Rapid Config details

The Windows Installer Embedded File Protection Rapid Config has three parameters that can be configured.

The first parameter allows you to Report or Block the execution of Jar files identified as installers.  It is unusual for jar files to be identified as installers by CB Protection

Embed1.png

As with all Rapid Configs we recommend setting each section to Report prior to setting to Block. You will want to ensure that the legitimate behavior will not be impacted.

The second parameter allows you to choose the notifier that is displayed when this Rapid Config blocks a file .  This parameter is only visible when the user has selected the Block option so it is not visible by default.

EmbedNotifier.PNG

The final parameter of the Rapid Config gives you the flexibility to add exceptions to the list.  For example if you have a jar file named foo.jar that is tagged as an installer, and you still want to be able to execute it, you could specify that here.

Embed2.png

We have more work forthcoming around this bypass vector and we welcome feedback via Productsecurity@carbonblack.com

Labels (1)
Tags (1)
Comments

I recently enabled the Java script rule, and to do that I put in a custom rule to allow executes of .jar and .class files by java.exe and javaw.exe.  This was based on the best practices for enabling script rules article written by Joel a while back.   If I put that execution rule at the bottom of my custom rule list, and enable this rapid config...will I still be getting the protection from it? 

I have started looking into the .class and .jar files in my environment to see about creating some file write approval rules, but there are a TON of them...so I don't know if I can leave the java script rule enabled without having that execute rule there as well.  I just want to make sure I am not canceling out the protection of the rapid config by having that execution rule in place. 

Article Information
Author:
Creation Date:
‎02-14-2019
Views:
839
Contributors