Kaseya Community

Application Blocker

  • I would love to come up with a list of executables (malware) that should be blocked with the application blocker. I think its underused, as it really does prevent some malware from digging its heels in. Here is the list I've got so far from various posts, and my own experience. Does anyone know if wildcards work? Feel free to add your list and I'll keep this updated.

    Malware
    antiviruspro_2010.exe
    svcst.exe
    seres.exe
    xpscanner.exe
    xpantivirus2008*
    xpa2008.exe
    XPAntivirusUpdate.exe
    XPAntivirus.exe
    XPantivirus*.exe
    xpa_eng.exe
    sysguard.exe
    antivirussystempro.exe
    kfthsysguard.exe
    winupdate.exe
    sulvsysguard.exe
    AV2010.exe
    svch0s.exe
    svch0st.exe
    4946550101.exe
    Added 12/9/09--------------
    datasrv2.exe
    dataserver.exe
    docmgr.exe
    cfiosysguard.exe

    P2P Apps
    bittorrent.exe
    kazaalite.exe
    bitlord.exe
    g3torrent.exe
    btdownloadgui.exe
    btmaketorrentgui.exe
    azureus.exe
    emule.exe
    edonkey2000.exe
    kazaa.exe
    klrun.exe
    khancer.exe
    napster.exe
    morpheus.exe
    shareaza.exe
    limewire.exe
    bearshare.exe
    kceasy.exe
    gnucleus.exe
    ares.exe
    utorrent.exe
    warez.exe
    bitcomet.exe
    utorrent.exe
    frostwire.exe

    Also blocking access to the hosts file, and/or pushing out a hosts file from a machine that used spybot immunize, will help as well.

    Legacy Forum Name: Application Blocker,
    Legacy Posted By Username: jknott
  • This is a good idea, how is it working for you?

    I saw that Antivirus 2010 is at c:\Program Files\AV2010\AV2010.exe

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: MGray
  • Since application blocker is filenamed based it isn't very effective against malware. Most malware tends to change or randomize the filenames in order to avoid detection. I've said it here before and I'll say it again. The best thing you can do is remove local administrator rights. It's thwarts most of the malware out there. This is because they try to write to Windows or Program Files folders. If given the choice of running local administrator with anti-virus or limited user without anti-virus, I would choose the later. Remember anti-virus products are signature based. It will only protect against what the vendor has seen and chooses to add to their signature files. If they don't think it's a viable threat then they let it right through. Relying on anti-virus alone to protect your computer is like depending on the air bag to deploy in a crash and not wearing your seat belt.

    Matt

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: connectex
  • Matt, you are 100% correct. Unfortunately, there are cases when this is not an option. In corporate environments, where you get buy-in from upper management that this is the right way to do things then its a no brainer. On the flip side when a business is paying to have their environment managed and they ask you "I know this is a risk and I want all my users to have admin rights", there really isn't much to do.

    There's an IT consulting route that we try to take but in some cases its simply not realistic. I wish we had the ability to convince every client that we need to take away admin rights, but then I also wish there wasn't such a thing as spyware. At this point, we've got to use everything in our toolkit which include file based restrictions, consulting practices, and antivirus.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: MGray
  • Convincing is difficult. I admit that. Here's a few of my tips:


    1. Report to them the problems assoicated with malware and the interruptions it WILL eventually cause. Remember to bring up the possible lost of confidential information. Make sure you also mention you can stop most of these cold by removing local admin rights.
    2. Remind them threats to their systems are happening EVERY day and administrator rights are not needed most of the time.
    3. Remind them that this also stops employees from installing unneccesary or illegal software. This is big as it wastes company resources and can also lead to increased security/malware risk as employees don't understand the importance patching of software.
    4. Last option is to force it on them for their own good. I insist that no employee user account have local administrator rights. If they refuse then the removal of malware is no longer included in their contract. Now they have to pay for each system cleanup. After a few they typically request I setup them up the way I recommended in the beginning.
    Matt

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: connectex
  • connectex
    Convincing is difficult. I admit that. Here's a few of my tips:


    1. Report to them the problems assoicated with malware and the interruptions it WILL eventually cause. Remember to bring up the possible lost of confidential information. Make sure you also mention you can stop most of these cold by removing local admin rights.
    2. Remind them threats to their systems are happening EVERY day and administrator rights are not needed most of the time.
    3. Remind them that this also stops employees from installing unneccesary or illegal software. This is big as it wastes company resources and can also lead to increased security/malware risk as employees don't understand the importance patching of software.
    4. Last option is to force it on them for their own good. I insist that no employee user account have local administrator rights. If they refuse then the removal of malware is no longer included in their contract. Now they have to pay for each system cleanup. After a few they typically request I setup them up the way I recommended in the beginning.
    Matt


    Excellent advice... but in one case, at least for us was (and this just happened a few days ago) was we had to let a few computers burn in the depths of mal/spy/ad-ware with naughty pop ups on a publicly visable computer to drive the point home for one client. After the sales rep had that "I told you so" conversation we were allowed to go in and remove local admin access on majority of the machines/users.

    Those who are left in that group need it for specific applications that require local admin rights. Be mindful of these type of applications. They suck Sad

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: thirteentwenty
  • MGray
    This is a good idea, how is it working for you?

    I saw that Antivirus 2010 is at c:\Program Files\AV2010\AV2010.exe

    Added...


    Its been working great, true a lot of malware does randomize the service it runs as, but we've noticed that the .exe that it actually installs with is almost always the same. Our biggest concern are these Fraud AV flavors. They account for a large amount of our time. This has (so far) prevented around 15 machines from getting the full-fledged infection. It really helps stop them from digging their heels in. A malwarebytes quick scan is all it takes to fix them. It is a never-ending battle, but this certainly helps, and I'm hoping with the community's support we'll be able to better keep up with the newest threats.

    Side-note... they way to make this work well, is to create a template to maintain the list, then copy to any workstations you want it setup on.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: jknott
  • BTW, to build the case even stonger. New malware that places child porn on your infected system. See here: http://www.itworld.com/security/84077/child-porn-malwares-ultimate-evil. So what's next?

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: connectex
  • Is there a report to see which machines have had an application blocked? I thought there might be but I haven't been able to find it.

    Also, I know the AVG ID Protection monitors and analyzes .exe's has anyone given that a try?

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: MGray
  • MGray
    Is there a report to see which machines have had an application blocked? I thought there might be but I haven't been able to find it.

    Also, I know the AVG ID Protection monitors and analyzes .exe's has anyone given that a try?


    We setup "protection violation" alerts and when we see one get flagged, we jump on it.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: jknott
  • I too have found Application Blocker to be an effective malware weapon in our arsenal. It worked well for Backdoor.Sdbot.ac threat which I just encountered for the first time this week on 2 KES-protected machines. This threat dates back to 2004, yet AVG misses it. I was very surprised that this threat got on a machine where the users do NOT have local admin rights (a group policy prevents it). Then again, I guess the malicious svch0s.exe (and svch0st.exe) file could have gotten on this machine before the GPO was added...

    Anyway, you might want to consider adding:
    svch0s.exe (that's a zero)
    svch0st.exe (that's a zero)


    jknott
    I would love to come up with a list of executables (malware) that should be blocked with the application blocker. I think its underused, as it really does prevent some malware from digging its heels in. Here is the list I've got so far from various posts, and my own experience. Does anyone know if wildcards work? Feel free to add your list and I'll keep this updated.


    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: ReedMikel
  • I'd love to see Kaseya host a download site that could contain useful templates - like this list of malicious files to block. Then they'd need to offer an option within our VSAs to hook into this "Community Application Blocker". Integrate the whole thing so all we have to do is check some new box "use community block list". There would also have to be a way for MSPs to submit newly encountered threats to this community list/template (along with tech notes about the threat).

    There could even be several community block lists that we could select from. e.g. one for threats that have just been discovered, one for threats submitted by MSPs that have been reviewed and approved by a Kaseya moderator etc.

    Imagine the power of pooling the experiences of thousands of MSPs through community templates like this. It would be Kaseya on steroids!

    Jeff - what do you think?

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: ReedMikel
  • add frostwire.exe to the list under P2P apps Roll Eyes

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: ljardine
  • ReedMikel
    I'd love to see Kaseya host a download site that could contain useful templates - like this list of malicious files to block. Then they'd need to offer an option within our VSAs to hook into this "Community Application Blocker". Integrate the whole thing so all we have to do is check some new box "use community block list". There would also have to be a way for MSPs to submit newly encountered threats to this community list/template (along with tech notes about the threat).

    There could even be several community block lists that we could select from. e.g. one for threats that have just been discovered, one for threats submitted by MSPs that have been reviewed and approved by a Kaseya moderator etc.

    Imagine the power of pooling the experiences of thousands of MSPs through community templates like this. It would be Kaseya on steroids!

    Jeff - what do you think?


    I totally agree, I haven't seen anything like this, so I figured we could start it here... I've actually seen a huge jump in "Protection Violations" but no actual infections (Holiday shopping?.. hahaha) so I am still convinced it is a very useful tool.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: jknott
  • ReedMikel

    Imagine the power of pooling the experiences of thousands of MSPs through community templates like this. It would be Kaseya on steroids!


    Couldn't we do that with the forum, if we could get a "sub-forum" kind of thing going on like in the scripts area we could get some great monitoring/scripting/whatevers going on... the hard part would be the moderating of it...

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: thirteentwenty