Trellix-Defined Access Protection Rules Flashcards
Browsers launching files from the Downloaded Program Files folder
Prevents software from installing through the web browser
Benefits: Prevents adware and spyware from installing and running executables from the downloads folder
Risks: Might block installation of legitimate software
Changing any file extension registrations
Protects the registry keys under HKEY_CLASSES_ROOT where file extensions are registered.
Benefits: Prevents malware from changing the file extension registrations to allow malware to execute silently
Risks: Might block installation of legitimate software
Changing user rights policies
Protects registry values that contain windows security information.
Benefit: Prevents worms from changing accounts that have administrator rights
Creating new executable files in the Program Files folder
Benefit: Prevents adware and spyware from creating new .EXE and .DLL files and installing new executable files in the Program Files folder.
Risk: might block installation of legitimate software
Creating new executable files in the Windows folder
Prevents the creation of files from any process, not just from over the network
Benefits: Prevents the creation of .EXE and .DLL files in the Windows folder
Risks: Might block legitimate software from creating these files in the Windows folder
Disabling Registry Editor and Task Manager
Protects Windows registry entries, preventing disabling the registry editor and Task Manager
Doppelganging attacks on processes
Prevents “Process Doppelganging” attacks from changing processes
Benefits: Prevents malware from loading and executing arbitrary code in the context of legitimate or trusted processes
Executing Mimikatz malware
prevents executables named mimikatz from running, protecting against mimikatx malware by preventing it from executing
Executing Scripts by Windows script host (CScript.exe or Wscript.exe) from common user folders
Prevents the Windows scripting host from running VBScript and JavaScript scripts in any folder with “temp” in the folder name
Benefit: Protects against many trojans and questionable web installation mechanisms used by adware and spyware applicaitons
Risks: Might block legitimate scripts and third-party applications from being installed or run
Executing Windows Subsystem for Linux
Prevents an administrator user from running the Windows Subsystem for Linux
Benefit: Prevents malware designed for Linux Systems from attacking Windows computers
Hijacking .EXE or other executable extensions
Protects .EXE, .BAT, and other executable registry keys under HKEY_CLASSES_ROOT
Benefit: Prevents malware from changing registry keys to run the virus when another executable runs
Installing Browser Helper Objects or Shell Extensions
Prevents Browser Helper Objects from installing on the host computer(doesn’t prevent installed Browser Helper Objects from working)
Benefits: Prevents adware, spyware, and trojans from installing on systems
Risks: Might block legitimate applications from installing Browser Helper Objects
Installing new CLSIDs, APPIDs, and TYPELIBs
Prevents the installation or registration of new COM servers.
Benefits: Protects against adware and spyware programs that install themselves as a COM add-on internet explorer or Microsoft Office applications
Risk: Might block installation of some common applications, like Adobe Flash
Modifying core Windows processes
Prevents files from being created or executed with most commonly spoofed names. (excludes authentic windows files)
Prevents viruses and Trojans from running with the name of a Windows process
Modifying Internet Explorer Settings
Block processes from changing settings in Internet Explorer
Prevents start-page trojans, adware, and spyware from changing browser settings, such as changing the start page or installing favorites
