[KB6132] Configure firewall rules for ESET Endpoint Security to protect against ransomware

Issue

Click an image to open the ESET Knowledgebase article for anti-ransomware best practices and additional product configurations:

Details


Click to expand


With ESET default settings, if malicious code with a dropper is executed, ESET Endpoint Security will prevent the download of the malware with the integrated ESET Firewall. To further help prevent ransomware malware on your Windows systems with ESET Endpoint Security, create the following rules in the latest ESET Endpoint Security, or create and apply an ESET PROTECT Policy.


Solution

Do not adjust settings on production systems

The following settings are additional configurations, and the specific settings needed for your security environment may vary. We recommend that you test the settings for each implementation in a test environment before using them in a production environment.

Manually create an ESET PROTECT Policy/configure the settings in ESET Endpoint Security

  1. Open the ESET PROTECT or ESET PROTECT On-Prem. In the Quick Links drop-down menu, click Create New Policy....

    If you are using an ESET Endpoint Security without remote management, open the main program window of your ESET Windows product and press the F5 key to access Advanced setup. Proceed to step 3.
     
  2. Click Settings and in the Select product... drop-down menu, select ‪ESET Endpoint for Windows‬. Proceed to step 4.
Figure 1-1
Click the image to view larger in new window
  1. Click Network Protection Network attack protection and verify that Enable Botnet protection is enabled.
Figure 1-2
  1. Click Network Protection, expand Advanced and click Edit next to Rules.
Figure 1-3
Click the image to view larger in new window
  1. In the Firewall rules window, click Add.
Figure 1-4
  1. In the Name field, type Deny network connections for cmd.exe (native).

    Use the following configuration for the rule:
    • From the Direction drop-down menu, select Both
    • From the Action drop-down menu, select Deny.
    • From the Protocol drop-down menu, select Any.
    • From the Profile drop-down menu, select Any profile.
Figure 1-5
  1. Click the Local tab, and in the Application field, type C:\Windows\System32\cmd.exe.
Figure 1-6
  1. Click OKAdd, and repeat steps 6 – 7 to create the following list of rules:
  • Name: Deny network connections for cmd.exe (SysWOW64)
    Application: C:\Windows\SysWOW64\cmd.exe
  • Name: Deny network connections for wscript.exe (native)
    Application: C:\Windows\System32\wscript.exe
  • Name: Deny network connections for wscript.exe (SysWOW64)
    Application: C:\Windows\SysWOW64\wscript.exe
  • Name: Deny network connections for cscript.exe (native)
    Application: C:\Windows\System32\cscript.exe
  • Name: Deny network connections for cscript.exe (SysWOW64)
    Application: C:\Windows\SysWOW64\cscript.exe
  • Name: Deny network connections for powershell.exe (native)
    Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  • Name: Deny network connections for powershell.exe (SysWOW64)
    Application: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  • Name: Deny network connections for ntvdm.exe
    Application: C:\Windows\System32\ntvdm.exe
  • Name: Deny network connections for regsvr.exe (native)
    Application: C:\Windows\System32\regsvr.exe
  • Name: Deny network connections for regsvr.exe (SysWOW64)
    Application: C:\Windows\SysWOW64\regsvr.exe
  • Name: Deny network connections for rundll32.exe (native)
    Application: C:\Windows\System32\rundll32.exe
  • Name: Deny network connections for rundll32.exe (SysWOW64)
    Application: C:\Windows\SysWOW64\rundll32.exe
  1. In the Firewall rules window, click OK after adding all rules. Click Assign to assign the policy to a client or group; otherwise, click Finish in the New Policy – Settings screen. If assigned, your policy settings will be applied to the target groups or client computers once they check in to ESET PROTECT or ESET PROTECT On-Prem.

    If you are using an ESET Endpoint Security without remote management, click OK OK after adding all rules.
Figure 1-7
Click the image to view larger in new window

Download and import the ESET PROTECT Policy

The ESET PROTECT Policy for ESET Endpoint Security with additional firewall settings to protect against ransomware malware(filecoder) can be downloaded and imported from the link below. The ESET PROTECT Policy is available only for the latest version of ESET products. Compatibility with earlier versions cannot be guaranteed.

  1. Download the Additional Ransomware Protection ESET PROTECT Policy.

  2. Open the ESET PROTECT or ESET PROTECT On-Prem. In the main menu, click Policies.

  3. Click Actions Import.
Figure 2-1
Click the image to view larger in new window
  1. Click Choose file to upload, select the downloaded policy, and click Import.
Figure 2-2
  1. Assign the policy to a client or assign the policy to a group. Policy settings will be applied to the target groups or client computers once they check in to ESET PROTECT or ESET PROTECT On-Prem.