Jump to content

Recommended Posts

Antipova Anna
Posted

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

In EDR Security officer can create a hash-based prevention rule for workstation. Here's the list of activities to which prevention rules apply:

Agent should control and prevent read access of the following file formats by the following apps:

App:

winword.exe

wordpad.exe

excel.exe

powerpnt.exe

acrord32.exe
Microsoft Edge
Google Chrome

File formats: .rtf
.doc
.dot
.docm
.docx
.dotx
.dotm
.docb 

.docx

.rtf

.xls
.xlt
.xlm
.xlsx
.xlsm
.xltx
.xltm
.xlsb
.xla
.xlam
.xll
.xlw
.ppt
.pot
.pps
.pptx
.pptm
.potx
.potm
.ppam
.ppsx
.ppsm
.sldx
.sldm
.pdf

 

Agent should prevent script started by following interpreters:

  • cmd.exe
  • reg.exe
  • regedit.exe
  • regedt32.exe
  • cscript.exe
  • wscript.exe
  • mmc.exe
  • msiexec.exe
  • mshta.exe
  • rundll32.exe
  • runlegacycplelevated.exe
  • control.exe
  • explorer.exe
  • regsvr32.exe
  • wwahost.exe
  • powershell.exe
  • perl.exe ( * )
  • hh.exe ( * )
  • msbuild.exe ( * )
  • python.exe ( * )
  • InstallUtil.exe
  • RegSvcs.exe
  • RegAsm.exe
  • ruby.exe
  • rubyw.exe
  • autoit.exe
  • AutoHotkey.exe
  • AutoHotkeyU32.exe
  • AutoHotkeyA32.exe
  • AutoHotkeyU64.exe
  • AutoHotkeyA64.exe

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...