Agent Not Blocking AppX/MSIX
search cancel

Agent Not Blocking AppX/MSIX

book

Article ID: 286595

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

The Agent is detecting AppX/MSIX bundles, but not blocking their execution.

Environment

  • App Control Console: Version 8.9.0+
  • App Control Windows Agent: 8.8.0+

Cause

Support for MSIX type packages is being investigated in Engineering, under EP-14660.

Resolution

In the meantime the following Custom Yara Rule and Software Rule combination will prevent the execution of these file types:

Custom Yara Creation:

  1. Log in to the Console and navigate to Rules > Software Rules > Yara > Add Yara Rule and specify the following:
    • Name: MSIXBUNDLE: installer script filetype
    • Namespace: IsInteresting
    • Status: Enabled
    • Rule: 
      rule MSIXBUNDLE: installer script filetype appmsix
{
 meta:
 description = "Identify MSIX bundle files"
 script_type = 19
 archive_type=2
 strings:
 $msixBlockMap = "AppxBlockMap.xml"
 condition:
 uint32(0) == 0x04034b50 and $msixBlockMap
}
    • File Scanning: Perform a full file system scan
  2. Click Save & Exit.


Custom Rule To Block Execution:

  1. Navigate to Rules > Software Rules > Custom > Add Custom Rule
    • Name: Block AppX/MSIX (or something similar)
    • Description: Temporary workaround during EP-14660
    • Status: Enabled
    • Platform: Windows
    • Rule Type: Expert
    • Operations: Execute and Script Execute
    • Actions: Block and Finish Rule Group
    • Target Tag(s): 
      <YaraTags:appmsix>
    • Path or File: Any
    • Process: Any
    • User or Group: Any
    • Rule Applies To: All Current and Future Policies
  2. Click Save & Exit.
Powered by Wolken Software