[KB8090] Configure a policy to mitigate PrintNightmare exploits

Issue

Details

You can use policies from ESET PROTECT to block malicious use of the Print Spooler service. With ESET’s Host-Based Intrusion Prevention System (HIPS), a user can block spoolsv.exe from writing new DLLs to the driver folder (a necessary element of remote exploitation of the PrintNightmare vulnerability).

Read more about PrintNightmare.

Solution

Disable the HIPS rule

After Microsoft releases a patch that successfully resolves the PrintNightmare exploit, disable the HIPS rule.

Process for mitigation policy creation

The process to create a policy for ESET Endpoint for Windows, ESET Server Security for Windows Server, and ESET Mail Security for Microsoft Exchange Server is almost identical. Each product needs its own policy. A user needs to select different products according to their system.

Create a mitigation policy for ESET Endpoint for Windows

  1. Open the ESET PROTECT Web Console in your web browser and log in.

  2. Create a new policy and follow the steps up to step 4. Select ESET Endpoint for Windows from the Select product ... drop-down menu. 

  3. Follow these steps starting from Step 3 to configure the policy.

Prepend settings for Rules

Ensure that you set the Prepend option for the Rules. The list entries will be placed at the beginning (top) of the list from previously merged policies and the policy list entries will be placed at the beginning of the local list entries.

  1. When the new policy is created, before you proceed with assigning the policy, in the Rules row, click the drop-down menu next to Edit and change both settings to Prepend.

Figure 1-1
Click the image to view larger in new window
  1. Go to Step 7 and assign the policy to the groups or separate client computers.

Create a mitigation policy for ESET Server Security for Windows Server

  1. Open the ESET PROTECT Web Console in your web browser and log in.

  2. Create a new policy and follow the steps up to step 4. Select ESET Server Security for Windows Server (V6+) from the Select product ... drop-down menu.

  3. Follow these steps starting from Step 3 to configure the policy.

Prepend settings for Rules

Ensure that you set the Prepend option for the Rules. The list entries will be placed at the beginning (top) of the list from previously merged policies and the policy list entries will be placed at the beginning of the local list entries.

  1. When the new policy is created, before you proceed with assigning the policy, in the Rules row, click the drop-down menu next to Edit and change both settings to Prepend.

  2. Go to Step 7 and assign the policy to the groups or separate client computers.


Create a mitigation policy for ESET Mail Security for Microsoft Exchange

  1. Open the ESET PROTECT Web Console in your web browser and log in.

  2. Create a new policy and follow the steps up to step 4. Select ESET Mail Security for Microsoft Exchange (V6+) from the Select product ... drop-down menu.

  3. Expand Computer, click HIPS and then click Edit next to Rules.
Figure 3-1
Click the image to view larger in new window 
  1. Follow these steps starting from Step 6 to configure the policy.

Prepend settings for Rules

Ensure that you set the Prepend option for the Rules. The list entries will be placed at the beginning (top) of the list from previously merged policies and the policy list entries will be placed at the beginning of the local list entries.

  1. When the new policy is created, before you proceed with assigning the policy, in the Rules row, click the drop-down menu next to Edit and change both settings to Prepend.

  2. Go to Step 7 and assign the policy to the groups or separate client computers.