cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1695
Views
0
Helpful
3
Replies

Custom Exclusion/White list for Script Control

AlexH.
Level 1
Level 1

Hi,

 

I have a couple of questions:

1> In the Script Control section of the policy.xml file there is an option to exclude certain processes or whitelist a folder, however I couldn't find where to configure these settings in the Secure Endpoint console. How can we configure these settings?

 

2> Is there a list of file types that are monitored for Execute handle? I tried blocking the execution of a .exe and .msi file using detection lists, the .exe file was blocked and quarantined, but the .msi file executed.

 

Thanks,

Alex

3 Replies 3

johnosn
Level 1
Level 1

Hello Alex,

Regarding question 1, my experience has been those exclusions in the policy.xml file have to be developed and tested with TAC and then are deployed by the Cisco backend team to your entire environment. These are not user configurable. I recently had a TAC case because of a false positive detection involving the Exploit Prevention Script Control during the installation of one specific application.

During that case what I learned was that the Script Control rules are made up of two components. The first entry in the rule is the executable name.  Following that is a list of dll's that script control is monitoring that executable using.

In the example below Script Control is monitoring "WINWORD.EXE" for the use of the following dll's: "wbemdisp.dll", "System.Management.Automation.dll", and "System.Management.Automation.ni.dll".

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<Object Id="obj-XXXXXXXXXX"><config type="policy">
      <v5>
        <script_control>
          <rule>WINWORD.EXE|wbemdisp.dll|System.Management.Automation.dll|System.Management.Automation.ni.dll</rule>
        </script_control>
      </v5>
    </exprev>
</config></Object>
</Signature>

Modification to the Script Control rules means removing the monitoring for the executable files use of that dll. You cannot for instance allow list a specific Microsoft Word document to launch a script, you would have to remove the monitoring for Microsoft Word launching a dll that launches a script from your entire organization.

Hope that helps with your first question.

muath1987
Level 1
Level 1

Are you able to blovk MSI files ?

muath1987
Level 1
Level 1

Does anyone managed to block MSI files ?