Prevent .EXE downloads from Skype using Application and Device Control policy

book

Article ID: 158783

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Some threats (W32.Phopifas, Trojan.Shylock, and Downloader.Liftoh as a few examples) often use Skype to spread.  Users fall victim to social engineering tricks and so download and execute malicious files from Skype.

Is there any additional measure that administrators can put in place to block attacks of this sort?

Cause

The malicious files involved are usually named [filename].pdf.exe.  The user downloads and executes these files believing that they are a common PDF file.

It is possible to create a defensive policy for Symantec Endpoint Protection's optional Application and Device Control (ADC) component. This policy will prevent the malicious files downloaded by Skype from being executed and causing harm, even if AntiVirus signatures have not yet been created against this specific variant of threat.

Resolution

  Create/Edit an Application and Device Control policy

  1. Login into the Symantec Endpoint Protection Manager (SEPM) console.
  2. Click Policies, and then click Application and Device Control under View Policies.
  3. Select the Application and Device Control policy which needs to be modified on the right-hand side.
  4. Click Edit the Policy under Tasks.
  5. In the pop-up window, click Application Control.
  6. Click the Add... button.
  7. In section of “Apply this rule in the following process” click on ADD and enter the Skype.exe process. Then Select Ok.
  8. Now Click on Add from bottom
  9. Click on Add Condition and select the File and Folder Access Attempts.
  10. Under the File and Folder Access Attempts box click on ADD in the section of “Apply this rule in the following files and folders”
  11. Enter the file extension with wildcard: *.exe
  12. Then press ok
  13. Go to the Action Tab in “File and Folder Access Attempts”.
  14. Select the Permit access in the “Reading attempt”.
  15. Select the Block Access in the “Create, Delete and Writing attempt” and check “enable logging”.
  16. Select Ok.
  17. Assign the policy to the desired Client Group.
     

A pre-built policy file is attached, below.  Please note that this file and these steps are provided "as-is" and may not be effective against every new variant or threat.


Attachments

Block_EXE_Skype.dat get_app