CIS 2024 beta does not currently allow Containment of \Windows* files. It currently responds with a message that says it will destabilize the system. But there are Land of the Living Attacks that utilize Windows native exe’s. And they have to be Blocked.
Just as one example: our red team likes to use compattelrunner.exe to launch attacks. We don’t run legacy software, so compattelrunner should never run in our environment. And we currently Block compattelrunner in Xcitium EDR. The CIS version used by Xcitium EDR allows us to specify a containment rule that blocks windows directory files.
We like Xcitium EDR and will be using it for quite some time. But if CIS 2024 Beta is the future direction, then it must change this new policy of not allowing windows exe’s in containment rules.
Please seriously consider not barring \Windows* files in Containment.
Thank you for reporting.
May i know your CIS version and win version ?
Any related screenshot/video of this issue so that we can reproduce easily and fix it.
Are you running any other security software other than CIS ?
There was a new attack. This time the network attack affected Windows Logonui.exe. The result effect was that I couldn’t logon.
So, the solution was to make a containment rule to ‘Restrict’ logonui.exe. That contained that effects of the attack and the solution worked beautifully.
This is another example where one would need to make containment rules on Windows exe’s. Other EDR’s only have block rules. But that wouldn’t work to solve this attack because blocking windows’ logonui would mean one couldn’t logon.
I had made a containment rule to restrict logonui.exe in Xcitium OpenEDR’s CIS. It works well without any windows errors. I did not try this on CIS Beta 2024. Just reporting this incident to you as another example when a windows exe needs to be contained.
I just found the Settings / HIDS / Protected Objects section which allows you to block objects. So that solves the problem of not being able to Block.
However, one still needs to put Windows exe into Virtualization, like LogonUI.exe . This file was attacked and it rendered me unable to sign in. It displayed some error. My answer to that attack was to virtualize LogonUI.exe and a repeated attack was not able have any effect. So my request for the ability to virtualize Windows exe’s is still valid.
There is one FEATURE REQUEST I want to make. And that is have a Enable / Disable Slider Switch for the HIDS / Protected Objects / Block rules. This is so I can have a seldom used exe like Powershell set to block, and when I do need to use it, slide to disable that rule for a period of time.
Of course, fileless malware is not that easy to detect because they are system tools integrated into the system and this poses real threats to antivirus programs. It also doesn’t mean that other programs or rules can’t handle it. Comodo is able to deal with this because it has introduced a script analysis mechanism, where most of the payloads delivered rely on such attacks. Together with the sandbox, it perfectly blocks data actions tested m.in on astaroth and other such scripts such as .bat with the use of and also powershell.
