Windows Installer Embedded File Protection Rapid Config

Purpose:To protect against exploiting a known issue on windows where legitimately signed installer files can be manipulated.

Description: Protect against exploiting Windows installers by embedding malicious content in them.

Note: See this document for more details: https://community.carbonblack.com/t5/Threat-Research-Docs/TAU-TIN-Java-Embedded-MSI-files/tac-p/66729.


Enabled by Default:	No
Platform:	Windows
Minimum Agent Version Required:	8.0.0, patch 7

The Edit Rapid Config page for the Windows Installer Embedded File Protection Rapid Config

What are Embedded MSI files?

In February of 2019, our threat team posted about a feature in Windows that when abused could lead to unauthorized code execution bypassing code signing checks. This is done by appending malicious jar files to msi files.

To read more about what our threat team found, please see this UeX post, TAU-TIN - Java Embedded MSI files.

How can CB Protection help?

The Windows Installer Embedded File Protection Rapid Config focuses on blocking or reporting jar files that are appended to msi files and other related Microsoft installer formats.

Requirements

Note: Prior to v8.5.0, App Control was known as CB Protection.

The java.exe script rule needs to be enabled.
App Control Server version 8.0 Patch 7 and above.
If you are running a version of App Control Server 8.0 prior to 8.0.Patch 7, you are able to import a rule to provide this coverage. You should follow the instructions in this link. There is no support for versions prior to 8.X.
If your environment prevents you from receiving this Rapid Config via the CDC, please contact support for instructions for manual installation.

Rapid Config Settings

As with most rapid configs, you can:

Enable or disable the rapid config.
Specify what policies the rapid config applies to.

In addition, you can choose to Do Nothing, Report, or Block the specific items or behaviors. In this case, you can Report or Block the execution of Jar files identified as installers. It is unusual for jar files to be identified as installers by App Control.

Note: RECOMMENDATION: We recommend setting each section to Report prior to setting to Block. Use the resulting events to ensure that legitimate behavior will not be impacted.

The settings for the Windows Installer Embedded File Protection Rapid Config

Report Or Block Execution Of Jar Files Identified As Installers:: Should execution of jar files identified as installers be reported or blocked? You should validate that legitimate behavior is not blocked before enabling blocking.
Jar Files Allowed To Run:: Approved jar files specified here will be allowed to run even if identified as installers. You can add or remove items from this list.; Note: EXAMPLE: If you have a jar file named foo.jar that is tagged as an installer, and you still want to be able to execute it, you could specify that here.