Endpoint Standard: How to Prevent the Recent Emotet Campaign?
book
Article ID: 289942
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
What Policy Rules will Prevent the Recent Emotet Campaign?
Environment
- Carbon Black Cloud Console: All Versions
- Carbon Black Cloud Sensor: All Versions
Resolution
- Login to the CBC Console
- Select Enforce > Policies
- Select Prevention tab
- Ensure the following policy rules are in place:
- Known malware Runs or is running Terminate
- Adware or PUP Runs or is running Terminate
- Suspected malware Runs or is running Terminate
- Applications at Path **\wscript.exe,**\cscript.exe Scrapes memory of another process Injects code or modifies memory of another process Terminate
- Applications at Path **\Microsoft Office\** Invokes a command interpreter Deny
- Not Listed Application Scrapes memory of another process Deny
- Not Listed Application Injects code or modifies memory of another process Deny
- Not listed application Invokes an untrusted process Terminate
Additional Information
The above policy rules are currently recommended by Carbon Black Threat Research team as of 03-30-2019: See
https://community.carbonblack.com/t5/Threat-Research-Docs/TAU-TIN-Recent-Emotet-Campaign/ta-p/69966 for more details
Feedback
thumb_up
Yes
thumb_down
No