Kaseya Community

Application Blocker

  • techworksinc
    Phadley, do you have the service name for Windows Defender? I tried adding 'MSASCUI' but I'm still getting thousands of false positives from the Protection Violation E-mails when Defender is running it's scans.

    What's odd is that although the file doesnt exist it says it blocked in C:\Users\AppData\xxx.exe or whatever the filen name and path are... Why does it think they are there when they don't even exist?


    I get those a lot as well, even though I've added MsMpEng and MRT. I think however, that WinDef runs as a service and thats the exe that is tagged - svchost. I get a lot of false positives, and thousands of emails a day. I don't want to allow svchost just to reduce my email load. ARRRRGGH!! Any help on this would be appreciated by many people I'm sure.

    techworksinc
    Also, I have been futzing around with attempting to block the spyware/viruses that are randomly generated. Most notably, I have found that one is always XXXXtssd.exe where the XXXX is random and the 'tssd' is always at the end. Does anyone know of a way to block this because this is the only virus/spyware to get through lately and I have no feasible way to block it and it's a rought one. Taking over hosts, proxy settings, system32 entries...the workds. Any help would be greatly appreciated.


    I haven't found anyway to add wildcards to our list. We still get those Sad. The ones that are worse are the {randomnumber}.exe, we still get clients that get them no matter how much we educate them, and are interested in anyway to block them.

    Thanks to all for this community, and hopefully we will get this sorted right out.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: Phadley
  • I've found user education is pretty much futile, as it's only as good as the weakest link (and there's always a few weak links at every site). I want an AVAS product to do its job, and AVG is certainly not up to the task with the Fake AV category of malware Sad

    Phadley
    The ones that are worse are the {randomnumber}.exe, we still get clients that get them no matter how much we educate them, and are interested in anyway to block them.


    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: ReedMikel
  • We just received an infection that uses %temp% as its path. Will app blocker utilize Windows variables? It seems that this one is installing at %temp%\gpresult.exe

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: Phadley
  • Phadley
    We just received an infection that uses %temp% as its path. Will app blocker utilize Windows variables? It seems that this one is installing at %temp%\gpresult.exe


    Unless I am mistaking your purpose, you can simply block gpresult.exe. You don't need to block the fully qualified path. Is there something different that you are trying to do? My KaseyaFW.ini is filled with just .exe and .dll that I wish to block which works well for what I want to do.

    Also, I just sent in a support request for adding Wildcard support to KaseyaFW.ini. I am hoping the feature is already present and I am only using the syntax incorrectly. I will update when they update the ticket. Perhaps you can put in a ticket as well for a feature request Phadley.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: techworksinc
  • Gpresult.exe is a valid app if it is in %windir%\system32 directory, but this one is not when its in the %temp% and really is the only app that would have a path.

    I'm still pulling out my hair when a system scan from one the anti-malware that runs as a service and false alerts against that machine. I don't want to allow svchost to access the file, but i get 30-40 alerts per scan and that drowns the real alerts. Any suggestions?

    Thanks,
    Phil

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: Phadley
  • I send Jeff and one of the Mbam guys an email about this. Mbam blew me off but Jeff asked me to check if File Access worked with "mbam" Approved VS Application Blocker (as per what has now been posted above)

    I tested, No false pos, so it would seem for those that want to stop the mbam scan false pos .. use File Access

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: Steve Morris