Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 9 subscribers
  • Views 128114 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Use Application Control to prevent malicious JavaScript files

PeterM

Hi everyone,

Recently Sophos has seen an increase in malware being spread via malicious JavaScript files (.js). These typically come as an attachment on an email either just as a .js file or inside a zip. An example detection name for the .js files would be: Troj/JSDldr-* and for the zipped files: Mal/DrodZp-*

Typically If a user could open these files they will often be a 'Downloader' which connects to a remote site to download the actual malware payload, which most commonly is Ransomware.

As an extra layer of protection against these threats you can use Application Control in the Sophos Enterprise Console or Sophos Cloud to block 'Microsoft WSH WScript' which can be found in the 'Programming / Scripting tool' category. 

Please note that this might affect other legitimate software so we advise testing this before rolling it out to a live environment.



This thread was automatically locked due to age.
Parents
  • 0

    PeterM,

    how can we make exclusions on SEC? Does the Windows Exclusions on Antivirus and Hips Policy work? We need to allow some "good wscript" deployed internally.

    Thanks.

  • 0 in reply to lferrara

    Hello Luk,

    AFAIK Application Control is based on static file scanning, thus - like with Data Control - the exclusions should apply.  ...  I've just tested blocking the 7-Zip Archive tool. Adding an exclusion for everything 7???????????.* released the application - as expected. The challenge is perhaps to find suitable patterns.

    Christian

Reply
  • 0 in reply to lferrara

    Hello Luk,

    AFAIK Application Control is based on static file scanning, thus - like with Data Control - the exclusions should apply.  ...  I've just tested blocking the 7-Zip Archive tool. Adding an exclusion for everything 7???????????.* released the application - as expected. The challenge is perhaps to find suitable patterns.

    Christian

Children
Unfiltered HTML