Purpose: To protect against exploiting a known issue on windows where legitimately signed installer files can be manipulated.
Description: Protect against exploiting Windows installers by embedding malicious content in them.
Enabled by Default: | No |
Platform: | Windows |
Minimum Agent Version Required: | 8.0.0, patch 7 |
What are Embedded MSI files?
In February of 2019, our threat team posted about a feature in Windows that when abused could lead to unauthorized code execution bypassing code signing checks. This is done by appending malicious jar files to msi files.
To read more about what our threat team found, please see this UeX post, TAU-TIN - Java Embedded MSI files.
How can CB Protection help?
The Windows Installer Embedded File Protection Rapid Config focuses on blocking or reporting jar files that are appended to msi files and other related Microsoft installer formats.
Requirements
-
The java.exe script rule needs to be enabled.
-
App Control Server version 8.0 Patch 7 and above.
-
If you are running a version of App Control Server 8.0 prior to 8.0.Patch 7, you are able to import a rule to provide this coverage. You should follow the instructions in this link. There is no support for versions prior to 8.X.
-
If your environment prevents you from receiving this Rapid Config via the CDC, please contact support for instructions for manual installation.
Rapid Config Settings
As with most rapid configs, you can:
-
Enable or disable the rapid config.
-
Specify what policies the rapid config applies to.
In addition, you can choose to Do Nothing, Report, or Block the specific items or behaviors. In this case, you can Report or Block the execution of Jar files identified as installers. It is unusual for jar files to be identified as installers by App Control.
- Report Or Block Execution Of Jar Files Identified As Installers:
- Should execution of jar files identified as installers be reported or blocked? You should validate that legitimate behavior is not blocked before enabling blocking.
- Jar Files Allowed To Run:
- Approved jar files specified here will be allowed to run even if identified as installers. You can add or remove items from this list.