How do I blacklist a file (any type of file) in F-Secure Client Security Premium

JohnWick
JohnWick W/ Alumni Posts: 22 Security Scout

Hi.

 

I am working on my incident response plan and one part of that is to blacklist a file on all clients. How do I do that in F-Secure Policy  Manager? Can I do that? I read some older posts (from 2015) that said it could not be done which seems strange. I guess one way is to upload to F-Secure via their "Submit a sample" but if we talk about a malware outbreak (or similar) within my company I pretty much count seconds and Submit-a-sample usually takes hours to blacklist. 

 

Any suggestions? I am thinking about this the wrong way perhaps. 

Any input appreciated. 

Thanks,

JW

Comments

  • Vad
    Vad W/ Alumni Posts: 1,069 Cybercrime Crusader

    Hello JohnWick,

     

    Please check the new Application Control feature possibilities in latest Policy Manager/Client Security 14 version. It may fit your requirements.

     

    Best regards,

    Vad

  • JohnWick
    JohnWick W/ Alumni Posts: 22 Security Scout

    Interesting! I will look into that in more detail. A question about that: have anyone any experience with enabling this rule? And with experience I mean mainly bad experience, i.e. blocking legitimate things. Otherwize this seems like a nice control to have in place for stopping all the malicious Office documents. Thanks!

     

    fdsa.PNG

  • MJ-perComp
    MJ-perComp W/ Alumni Posts: 669 Firewall Master
    "is it blocking legitimate things" is the wrong understanding of the module. It is simply disabling the "feature" to start a powershell script from Office. There is no "good" or "bad" evaluation.

    IMHO it was a very bad idea to give Office the power to create and launch scripts, and MS has disabled this feature by default since then. Even macros are no longer enabled by default. There are better ways to organize a workflow then to use a Word-document.

    So, if you think that starting a powershell script from office is a good idea and you want to use it, then "yes, it will be blocking legitimate things"
  • JohnWick
    JohnWick W/ Alumni Posts: 22 Security Scout

    Yes, I understand but regarding "and MS has disabled this feature by default since then." that is way to easy for users to cirumvent so I need a block for that. No legitimate use for starting powershell from Officedocument in my environment as far as I know. Is there ever I wonder?

     

    /JW

This discussion has been closed.