2 Replies Latest reply on May 25, 2017 4:42 PM by Fordo

    Making files Allowed on removable drives without using hashes

    Fordo Apprentice

      If you have the 'Deny files on removable media' setting enabled, which is the default setting, you can't make files Allowed on removable drives (e.g. USB sticks) without using hashes.

       

      If you disable this setting, you could just create a file rule for ?:\something.exe and a process rule making it Unrestricted (or whitelist everything else it needs).

       

      However, if you disable that setting someone can bypass Trusted Ownership by changing the owner of an application to Administrators on that drive when plugged into a personal machine, making it pass Trusted Ownership when launched on the corporate device running AM/AC.

       

      The app I need to whitelist has several versions, all with different hashes, and my customer is interested in making it Allowed based on file name/path and metadata alone, not hash.

       

      Is there any way of achieving this without disabling that global setting? i.e. bypassing that global setting for a given file path?

        • 1. Re: Making files Allowed on removable drives without using hashes
          timothyb SupportEmployee

          I've so far never needed to handle an incident with Removable Media, so probably showing a gap in my knowledge here.  Do you use hashes because of a technical requirement or the only secure method to allow files on removable media?  Removable media is blocked by default but you should be able to allow files to be executed on it:

           

          "Any executable or script content that resides on network locations or on removable media, such as a CD or a DVDROM, is automatically considered untrusted, and is immediately blocked from executing. Any such application that must be executed by a user must be specifically added to the whitelist in the Application Manager configuration, with a full UNC path to the relevant executable."

           

          I guess some of the issues are you need to allow the application to run but Trusted Ownership can't be used (by that I mean Trusted or it's not NTFS) on removable media.  Also when allowing an application by name only when Trusted Ownership can't be trusted wouldn't be a great idea.  So I guess the only trusted method to whitelist an application on a removable media would be to use a hash, rather than a technical requirement in the product.

           

          I would suggest using Vendor Certificates but I think they only work if Trusted Ownership fails.  If you're not checking Trusted Ownership then it's probably not likely to fail back to Vendor Certificates.

           

          Could you use Metadata to allow the file to run in a more secure way?  It is possible to spoof Meta data, so much like a filename rule it probably isn't secure in isolation.  In recent versions of the software there is now a "Verify certificate at runtime" option for "Vendor".  This should make the meta data more secure as the certificate for the file is also verified at runtime:

           

          If Vendor metadata is enabled, a further option becomes available - Verify certificate at runtime. When this option is enabled, the AM agent verifies the certificate whilst it is matching the file. Click Verify Options to access a further set of criteria, used during file matching."

          • 2. Re: Making files Allowed on removable drives without using hashes
            Fordo Apprentice

            Do you use hashes because of a technical requirement or the only secure method to allow files on removable media?  Removable media is blocked by default but you should be able to allow files to be executed on it:

             

            You can - but with hashes only, if that global advanced setting is configured (which it is - it's the default):

             

            From Mark W:

            Unfortunately when AM detects the request is coming from a removable media source it sets the current level to blocked signature (as if it had been blocked by an (AM) signature rule. As you know the only thing that can beat that is a allowed signature.

            With the global setting that removes that stipulation and it goes through the rules as normal. They are the two options.