Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1340
Views
0
Helpful
3
Replies

Custom Exclusion/White list for Script Control

AlexH.
Level 1
Level 1

‎05-04-2022 12:09 AM

Hi,

 

I have a couple of questions:

1> In the Script Control section of the policy.xml file there is an option to exclude certain processes or whitelist a folder, however I couldn't find where to configure these settings in the Secure Endpoint console. How can we configure these settings?

 

2> Is there a list of file types that are monitored for Execute handle? I tried blocking the execution of a .exe and .msi file using detection lists, the .exe file was blocked and quarantined, but the .msi file executed.

 

Thanks,

Alex

0 Helpful
3 Replies 3

johnosn
Level 1
Level 1

‎05-16-2022 05:49 AM - edited ‎05-16-2022 06:21 AM

Hello Alex,

Regarding question 1, my experience has been those exclusions in the policy.xml file have to be developed and tested with TAC and then are deployed by the Cisco backend team to your entire environment. These are not user configurable. I recently had a TAC case because of a false positive detection involving the Exploit Prevention Script Control during the installation of one specific application.

During that case what I learned was that the Script Control rules are made up of two components. The first entry in the rule is the executable name.  Following that is a list of dll's that script control is monitoring that executable using.

In the example below Script Control is monitoring "WINWORD.EXE" for the use of the following dll's: "wbemdisp.dll", "System.Management.Automation.dll", and "System.Management.Automation.ni.dll".

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<Object Id="obj-XXXXXXXXXX"><config type="policy">
      <v5>
        <script_control>
          <rule>WINWORD.EXE|wbemdisp.dll|System.Management.Automation.dll|System.Management.Automation.ni.dll</rule>
        </script_control>
      </v5>
    </exprev>
</config></Object>
</Signature>

Modification to the Script Control rules means removing the monitoring for the executable files use of that dll. You cannot for instance allow list a specific Microsoft Word document to launch a script, you would have to remove the monitoring for Microsoft Word launching a dll that launches a script from your entire organization.

Hope that helps with your first question.

0 Helpful

muath1987
Level 1
Level 1

‎11-28-2022 03:05 AM

Are you able to blovk MSI files ?

0 Helpful

muath1987
Level 1
Level 1

‎01-02-2023 01:02 AM

Does anyone managed to block MSI files ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents