Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

ShmooCon 2015 whitelisting vulnerability

ShmooCon 2015 whitelisting vulnerability

Please read the Important Information at the bottom before implementing

Version

All

7.2.3 + Recommended to user built in Mmap Rules

Issue

This solution provides suggested detailed steps to create an active shield against the whitelisting vulnerability (using .NET installUtil) exposed at ShmooCon 2015.

More information on this vulnerability can be found in the Bit9 User eXchange link: https://community.bit9.com/message/1956

Solution

InstallUtil is distributed with all editions of Visual Studio (http://www.visualstudio.com/downloads/download-visual-studio-vs), with the .NET Developer Pack (http://support.microsoft.com/kb/2878632), and with some other versions of the .NET framework.  More information about the tool can be found at http://msdn.microsoft.com/en-us/library/50614e95(v=vs.110).aspx

It has the capability to load end execute any file (by name) that is a binary, and this is the detected vulnerability.

The steps below are necessary to mitigate the potential execution of unapproved software or banned software, in versions prior to 7.2. 

In 7.2 the active banning feature can prevent banned files from running, but at least one of the following steps is required to prevent the unwanted execution of unapproved software using this method.

Perform the following:

A. Before banning InstallUtil.exe, you should first identify all versions of the file in the catalog and their prevalence, and then examine the individual file instances to see if the file was ever executed, and review events for recent usage, so you can make a decision if there is a real need to allow the execution of this executable.

Block all instances of the .NET InstallUtil.exe file:

Search the File Catalog to find all instances of the .NET InstallUtil.exe file, then create the following rule:

Go to Rules --> Software Rules --> Custom

Click on Add custom rule

Provide the following details to create the rule:

Name: Block installUtil

Status: Enabled

Rule Type: Execution control

Write Action: Block

Path or file: All the relevant paths existing for InstallUtil.exe OR *\InstallUtil.exe

Process: Any Process

User Or Group: Any User

Rule Applies to: All Policies

Ban all hashes of all instances of the .NET InstallUtil:

Search the File Catalog to find all HASH instances of the .NET InstallUtil.exe file, and then ban ALL those hashes.

B. Optional step:

Please note that when referring to *.exe and *.dll, these are only common binaries, but others can be potentially executed as well. Those rules should be adjusted based on the inventory found on each installation.

Create a script rule:

Go to Rules --> Software Rules --> Scripts

Click AddScriptRule

Provide the following details to crated the rule:

Name: .NET InstallUtil

Status: Enabled

Script Definition: Script Type and Process

Script Type:

*.exe

*.dll

Script Process: *\InstallUtil.exe

Do not rescan to approve these types since they are tracked as interesting by default.

Then create the following 2 custom rules:

Execute: Block rule

Go to Rules --> Software Rules --> Custom

Click on Add Custom Rule

Name: Execute Block InstallUtil

Status: Enabled

Rule Type: Advanced

Operation: Execute

Execute Action:Block

Path or File:

*.exe

*.dll

Process: Specific Process:

instalUtil.exe

User or Group: Any User

Rule Applies to: All Policies

Execute:Report rule

Go to Rules --> Software Rules --> Custom

Click on Add Custom Rule

Name: Execute report InstallUtil

Status: Enabled

Rule Type: Advanced

Operation: Execute

Execute Action: Report

Path or File:

*.exe

*.dll

Process: Specific Process:

instalUtil.exe

User or Group: Any User

Rule Applies to: All Policies

Important Information:

- In the 8.0 version of the product, we have found the script rule is changing all processes to script processors that can cause unexpected blocks and performance hits. EP-1982 is the internal fix for this.

- 7.2.3 + is recommended to use the  read-only memory map operations on banned or unapproved executables by .NET applications rules that we have built into the product under Rules > Software Rules > Custom Rules

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎08-28-2015
Views:
1113
Contributors