[KB8090] Configure a policy to mitigate PrintNightmare exploits

Issue

Details

You can use policies from ESET PROTECT and ESET PROTECT On-Prem to block malicious use of the Print Spooler service. With ESET’s Host-Based Intrusion Prevention System (HIPS), a user can block spoolsv.exe from writing new DLLs to the driver folder (a necessary element of remote exploitation of the PrintNightmare vulnerability).

Read more about PrintNightmare.

Solution

Disable the HIPS rule

After Microsoft releases a patch that successfully resolves the PrintNightmare exploit, disable the HIPS rule.

Process for mitigation policy creation

The process to create a policy for ESET Endpoint for Windows, ESET Server Security for Windows Server, and ESET Mail Security for Microsoft Exchange Server is almost identical. Each product needs its own policy. A user needs to select different products according to their system.

Create a mitigation policy for ESET Endpoint for Windows

  2. Create a new policy and follow the steps up to step 4. Select ESET Endpoint for Windows from the Select product ... drop-down menu. 

  3. Follow these steps starting from Step 3 to configure the policy.

Prepend settings for Rules

Ensure that you set the Prepend option for the Rules. The list entries will be placed at the beginning (top) of the list from previously merged policies and the policy list entries will be placed at the beginning of the local list entries.

  1. When the new policy is created, before you proceed with assigning the policy, in the Rules row, click the drop-down menu next to Edit and change both settings to Prepend.

Figure 1-1
Click the image to view larger in new window
  1. Go to Step 7 and assign the policy to the groups or separate client computers.

Create a mitigation policy for ESET Server Security for Windows Server

  2. Create a new policy and follow the steps up to step 4. Select ESET Server Security for Windows Server (V6+) from the Select product ... drop-down menu.

  3. Follow these steps starting from Step 3 to configure the policy.

Prepend settings for Rules

Ensure that you set the Prepend option for the Rules. The list entries will be placed at the beginning (top) of the list from previously merged policies and the policy list entries will be placed at the beginning of the local list entries.

  1. When the new policy is created, before you proceed with assigning the policy, in the Rules row, click the drop-down menu next to Edit and change bothsettings to Prepend.

  2. Go to Step 7 and assign the policy to the groups or separate client computers.

Create a mitigation policy for ESET Mail Security for Microsoft Exchange

  2. Create a new policy and follow the steps up to step 4. Select ESET Mail Security for Microsoft Exchange (V6+) from the Select product ... drop-down menu.

  3. Expand Computer, click HIPS and then click Edit next to Rules.
Figure 3-1
Click the image to view larger in new window 

  1. Follow these steps starting from Step 6 to configure the policy.

Prepend settings for Rules

Ensure that you set the Prepend option for the Rules. The list entries will be placed at the beginning (top) of the list from previously merged policies and the policy list entries will be placed at the beginning of the local list entries.

  1. When the new policy is created, before you proceed with assigning the policy, in the Rules row, click the drop-down menu next to Edit and change bothsettings to Prepend.

  2. Go to Step 7 and assign the policy to the groups or separate client computers.

English
This article applies to
Product
OS
Issue
Related articles
Create a new policy in ESET PROTECT or ESET PROTECT On-Prem
Windows PrintNightmare Remote Code Execution (RCE) (CVE-2021-34527 / CVE-2021-1675)
Last Updated: Jan 28, 2025

Additional resources

User Guides

ESET Forum

YouTube videos

Support News Customer Advisories ESET Status Portal Contact ESET Technical Support

Existing customer?

Chat with ESET AI Advisor for support