Please read the Important Information at the bottom before implementing
Version
All
7.2.3 + Recommended to user built in Mmap Rules
Issue
This solution provides suggested detailed steps to create an active shield against the whitelisting vulnerability (using .NET installUtil) exposed at ShmooCon 2015.
More information on this vulnerability can be found in the Bit9 User eXchange link: https://community.bit9.com/message/1956
Solution
InstallUtil is distributed with all editions of Visual Studio (http://www.visualstudio.com/downloads/download-visual-studio-vs), with the .NET Developer Pack (http://support.microsoft.com/kb/2878632), and with some other versions of the .NET framework. More information about the tool can be found at http://msdn.microsoft.com/en-us/library/50614e95(v=vs.110).aspx
It has the capability to load end execute any file (by name) that is a binary, and this is the detected vulnerability.
The steps below are necessary to mitigate the potential execution of unapproved software or banned software, in versions prior to 7.2.
In 7.2 the active banning feature can prevent banned files from running, but at least one of the following steps is required to prevent the unwanted execution of unapproved software using this method.
Perform the following:
A. Before banning InstallUtil.exe, you should first identify all versions of the file in the catalog and their prevalence, and then examine the individual file instances to see if the file was ever executed, and review events for recent usage, so you can make a decision if there is a real need to allow the execution of this executable.
Block all instances of the .NET InstallUtil.exe file:
Search the File Catalog to find all instances of the .NET InstallUtil.exe file, then create the following rule:
Go to Rules --> Software Rules --> Custom
Click on Add custom rule
Provide the following details to create the rule:
Name: Block installUtil
Status: Enabled
Rule Type: Execution control
Write Action: Block
Path or file: All the relevant paths existing for InstallUtil.exe OR *\InstallUtil.exe
Process: Any Process
User Or Group: Any User
Rule Applies to: All Policies
Ban all hashes of all instances of the .NET InstallUtil:
Search the File Catalog to find all HASH instances of the .NET InstallUtil.exe file, and then ban ALL those hashes.
B. Optional step:
Please note that when referring to *.exe and *.dll, these are only common binaries, but others can be potentially executed as well. Those rules should be adjusted based on the inventory found on each installation.
Create a script rule:
Go to Rules --> Software Rules --> Scripts
Click AddScriptRule
Provide the following details to crated the rule:
Name: .NET InstallUtil
Status: Enabled
Script Definition: Script Type and Process
Script Type:
*.exe
*.dll
Script Process: *\InstallUtil.exe
Do not rescan to approve these types since they are tracked as interesting by default.
Then create the following 2 custom rules:
Execute: Block rule
Go to Rules --> Software Rules --> Custom
Click on Add Custom Rule
Name: Execute Block InstallUtil
Status: Enabled
Rule Type: Advanced
Operation: Execute
Execute Action:Block
Path or File:
*.exe
*.dll
Process: Specific Process:
instalUtil.exe
User or Group: Any User
Rule Applies to: All Policies
Execute:Report rule
Go to Rules --> Software Rules --> Custom
Click on Add Custom Rule
Name: Execute report InstallUtil
Status: Enabled
Rule Type: Advanced
Operation: Execute
Execute Action: Report
Path or File:
*.exe
*.dll
Process: Specific Process:
instalUtil.exe
User or Group: Any User
Rule Applies to: All Policies
Important Information:
- In the 8.0 version of the product, we have found the script rule is changing all processes to script processors that can cause unexpected blocks and performance hits. EP-1982 is the internal fix for this.
- 7.2.3 + is recommended to use the read-only memory map operations on banned or unapproved executables by .NET applications rules that we have built into the product under Rules > Software Rules > Custom Rules
