[KB8090] Configure a policy to mitigate PrintNightmare exploits

Issue

Details

You can use policies from ESET PROTECT and ESET PROTECT On-Prem to block malicious use of the Print Spooler service. With ESET’s Host-Based Intrusion Prevention System (HIPS), a user can block spoolsv.exe from writing new DLLs to the driver folder (a necessary element of remote exploitation of the PrintNightmare vulnerability).

Read more about PrintNightmare.

Solution

Disable the HIPS rule

After Microsoft releases a patch that successfully resolves the PrintNightmare exploit, disable the HIPS rule.

Process for mitigation policy creation

The process to create a policy for ESET Endpoint for Windows, ESET Server Security for Windows Server, and ESET Mail Security for Microsoft Exchange Server is almost identical. Each product needs its own policy. A user needs to select different products according to their system.

Create a mitigation policy for ESET Endpoint for Windows

  1. Open ESET PROTECT or ESET PROTECT On-Prem in your web browser and log in.

  2. Create a new policy and follow the steps up to step 4. Select ESET Endpoint for Windows from the Select product ... drop-down menu. 

  3. Follow these steps starting from Step 3 to configure the policy.

Prepend settings for Rules

Ensure that you set the Prepend option for the Rules. The list entries will be placed at the beginning (top) of the list from previously merged policies and the policy list entries will be placed at the beginning of the local list entries.

  1. When the new policy is created, before you proceed with assigning the policy, in the Rules row, click the drop-down menu next to Edit and change both settings to Prepend.

Figure 1-1
Click the image to view larger in new window
  1. Go to Step 7 and assign the policy to the groups or separate client computers.

Create a mitigation policy for ESET Server Security for Windows Server

  1. Open ESET PROTECT or ESET PROTECT On-Prem in your web browser and log in.

  2. Create a new policy and follow the steps up to step 4. Select ESET Server Security for Windows Server (V6+) from the Select product ... drop-down menu.

  3. Follow these steps starting from Step 3 to configure the policy.

Prepend settings for Rules

Ensure that you set the Prepend option for the Rules. The list entries will be placed at the beginning (top) of the list from previously merged policies and the policy list entries will be placed at the beginning of the local list entries.

  1. When the new policy is created, before you proceed with assigning the policy, in the Rules row, click the drop-down menu next to Edit and change both settings to Prepend.

  2. Go to Step 7 and assign the policy to the groups or separate client computers.

Create a mitigation policy for ESET Mail Security for Microsoft Exchange

  1. Open ESET PROTECT or ESET PROTECT On-Prem in your web browser and log in.

  2. Create a new policy and follow the steps up to step 4. Select ESET Mail Security for Microsoft Exchange (V6+) from the Select product ... drop-down menu.

  3. Expand Computer, click HIPS and then click Edit next to Rules.
Figure 3-1
Click the image to view larger in new window 

  1. Follow these steps starting from Step 6 to configure the policy.

Prepend settings for Rules

Ensure that you set the Prepend option for the Rules. The list entries will be placed at the beginning (top) of the list from previously merged policies and the policy list entries will be placed at the beginning of the local list entries.

  1. When the new policy is created, before you proceed with assigning the policy, in the Rules row, click the drop-down menu next to Edit and change both settings to Prepend.

  2. Go to Step 7 and assign the policy to the groups or separate client computers.

English
Last Updated: Dec 13, 2023

Additional resources

User Guides

ESET Forum

YouTube videos

Need further assistance?

Contact ESET Technical Support

More Information

Support News
Customer Advisories
ESET Status Portal