Issue
- You want to configure additional firewall rules in ESET Endpoint Security or create a policy in ESET PROTECT or ESET PROTECT On-Prem with additional firewall settings for ESET Endpoint Security to protect against ransomware malware(filecoder)
- Manually create an ESET PROTECT Policy/configure the settings in ESET Endpoint Security
- Download and import the ESET PROTECT Policy
Click an image to open the ESET Knowledgebase article for anti-ransomware best practices and additional product configurations:
Details
Click to expand
With ESET default settings, if malicious code with a dropper is executed, ESET Endpoint Security will prevent the download of the malware with the integrated ESET Firewall. To further help prevent ransomware malware on your Windows systems with ESET Endpoint Security, create the following rules in the latest ESET Endpoint Security, or create and apply an ESET PROTECT Policy.
Solution
Manually create an ESET PROTECT Policy/configure the settings in ESET Endpoint Security
- Open the ESET PROTECT or ESET PROTECT On-Prem. In the Quick Links drop-down menu, click Create New Policy....
If you are using an ESET Endpoint Security without remote management, open the main program window of your ESET Windows product and press the F5 key to access Advanced setup. Proceed to step 3.
- Click Settings and in the Select product... drop-down menu, select ESET Endpoint for Windows. Proceed to step 4.
Click the image to view larger in new window
- Click Network Protection → Network attack protection and verify that Enable Botnet protection is enabled.
- Click Network Protection, expand
Advanced and click Edit next to Rules.
Click the image to view larger in new window
- In the Firewall rules window, click Add.
- In the Name field, type Deny network connections for cmd.exe (native).
Use the following configuration for the rule:
- From the Direction drop-down menu, select Both.
- From the Action drop-down menu, select Deny.
- From the Protocol drop-down menu, select Any.
- From the Profile drop-down menu, select Any profile.
- Click the Local tab, and in the Application field, type
C:\Windows\System32\cmd.exe.
- Click OK → Add, and repeat steps 6 – 7 to create the following list of rules:
- Name: Deny network connections for cmd.exe (SysWOW64)
Application: C:\Windows\SysWOW64\cmd.exe - Name: Deny network connections for wscript.exe (native)
Application: C:\Windows\System32\wscript.exe - Name: Deny network connections for wscript.exe (SysWOW64)
Application: C:\Windows\SysWOW64\wscript.exe - Name: Deny network connections for cscript.exe (native)
Application: C:\Windows\System32\cscript.exe - Name: Deny network connections for cscript.exe (SysWOW64)
Application: C:\Windows\SysWOW64\cscript.exe - Name: Deny network connections for powershell.exe (native)
Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - Name: Deny network connections for powershell.exe (SysWOW64)
Application: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe - Name: Deny network connections for ntvdm.exe
Application: C:\Windows\System32\ntvdm.exe - Name: Deny network connections for regsvr.exe (native)
Application: C:\Windows\System32\regsvr.exe - Name: Deny network connections for regsvr.exe (SysWOW64)
Application: C:\Windows\SysWOW64\regsvr.exe - Name: Deny network connections for rundll32.exe (native)
Application: C:\Windows\System32\rundll32.exe - Name: Deny network connections for rundll32.exe (SysWOW64)
Application: C:\Windows\SysWOW64\rundll32.exe
- In the Firewall rules window, click OK after adding all rules. Click Assign to assign the policy to a client or group; otherwise, click Finish in the New Policy – Settings screen. If assigned, your policy settings will be applied to the target groups or client computers once they check in to ESET PROTECT or ESET PROTECT On-Prem.
If you are using an ESET Endpoint Security without remote management, click OK→ OK after adding all rules.
Click the image to view larger in new window
Download and import the ESET PROTECT Policy
The ESET PROTECT Policy for ESET Endpoint Security with additional firewall settings to protect against ransomware malware(filecoder) can be downloaded and imported from the link below. The ESET PROTECT Policy is available only for the latest version of ESET products. Compatibility with earlier versions cannot be guaranteed.
Download the Additional Ransomware Protection ESET PROTECT Policy.
Open the ESET PROTECT or ESET PROTECT On-Prem. In the main menu, click Policies.
- Click Actions → Import.
Click the image to view larger in new window
- Click Choose file to upload, select the downloaded policy, and click Import.
- Assign the policy to a client or assign the policy to a group. Policy settings will be applied to the target groups or client computers once they check in to ESET PROTECT or ESET PROTECT On-Prem.
