How to Prevent Malware with Custom Blocking in CrowdStrike Falcon®
December 1, 2019Peter Ingebrigtsen Tech Center
How to Prevent Malware with Custom Blocking
This document covers malware prevention via the custom blocking feature of Falcon. Falcon uses multiple methods to prevent and detect malware. Those methods include machine learning, exploit blocking, blacklisting and indicators of attack. This unified combination of methods protects you against known malware, unknown malware, script-based attacks, file-less malware and others. This document covers blacklisting and whitelisting steps.
Preventing malware with custom blocking
There are cases when you might want to block applications because you are certain that you never want them to run in your environment.
Falcon allows you to upload hashes from your own black or white lists. To enabled this navigate to the Configuration App, Prevention hashes window, and click on “Upload Hashes” in the upper right-hand corner. Note that you can also automate the task of importing hashes with the CrowdStrike Falcon® API.
Then we can either brows to a file or paste a list directly into the windows. The list can be a text file with one MD5 or SHA256 hash per line. All valid MD5 and SHA256 hashes will be uploaded. Rows with non-MD5/SHA256 hash format will be ignored.
The list of hashes must meet the following criteria:
- Formatted as a plain text (.txt) file
- Contains up to 3,000 MD5 and SHA256 hashes (per file)
- Contains one MD5 or SHA256 hash per line
- Hash being added is for an executable file only
All valid MD5 and SHA256 hashes will be uploaded, even if a hash was already uploaded as part of a different list. Rows with non-MD5/SHA256 hash format will be ignored.
After clicking “apply” you’ll have the opportunity to select an action you’d like Falcon to take when a matching hash is detected. Select your choice and click “apply” again.
A confirmation window will appear, select “apply” if everything looks correct. If not make changes until the settings are as desired.
You can see that the hash has been uploaded. If you want to upload more hashes later, click on the “Upload Hashes” icon on the top right corner of the window.
A list of the hashes along with the selected policy, in this case “always block” is visible from the “Configuration -> Prevention Hashes” dashboard. If individual hashes need to be edited select the box next to the chosen hash and hit the “apply policy” button at the top.
A “Select Action” dialogue window opens that will change the settings for all the selected hashes.
Now we also need to make sure that custom blocking is enabled in the “Malware Protection” section of the specific policy. For that, let’s go back to the “Configuration app -> Prevention Policy” page and check. If it’s not enabled for the desired policy, you can toggle the “custom blocking” button to enable it. Don’t forget to save the changes to your policy.
This is how this prevention shows up in the Falcon User Interface. It will show as being blocked per your organization policy.
Falcon uses an array of methods to protects against known malware, unknown malware and file-less malware. Those methods include:
- Machine Learning
- Exploit Blocking
- Indicators of attack
- Blacklisting and whitelisting
Falcon uniquely combines these powerful methods into an integrated approach that protects endpoints more effectively against both malware and breaches.
- CrowdStrike Free Trial
- Request a demo
- Guide to AV Replacement
- CrowdStrike Endpoint Security Products
How to Prevent Malware with Custom Blacklisting in CrowdStrike Falcon® Host Endpoint Protection
Thank you for joining us today. Today we’re going to show you how CrowdStrike’s Falcon host offers simple blacklisting and whitelisting of files in your environment on your endpoints.
What we have here is a Windows client with a copy of TeamViewer. TeamViewer is a remote administration tool often used by administrators to remote control into someone’s machine. Sometimes it’s also used by adversaries for inappropriate purposes.
As you can see here, if I double click the file in its current form, it will go ahead and open up. And we are able to remotely connect to a machine that’s also running the TeamViewer client. I’m going to close up that TeamViewer application and jump to our UI.
Our UI is cloud based. And I have logged into the UI already. And I am under our Response section, where the hashes are located. I’ve already imported a handful of hashes. In this case, we can see TeamViewer, maybe V&C, maybe BitTorrent, in my case. But I’m going to focus purely on TeamViewer.
I’ve already highlighted the two versions I have in my UI. And we can see that there’s no policy assigned to either one. In this case, None. I’m going to highlight both of them. And I’m going to choose Always Block. The second I hit Apply, within seconds these two hashes will be prevented from executing in my environment moving forward.
I’m going to go back to our client and double click. As you can see here, Windows is unable to execute the file. Now if we happen to have any detections of that file attempting to be executed, if I jump to my Detection screen and look at my detections, I will see that there was a blocked hash. And execution of this hash was blocked according to my blacklisting policy.
We’ll also show you a process tree showing how the file was executed and of course, associated details about the machine and the user. And here we see under Windows Explorer, the file was executed– stv.exe– Zero EV detections. But most importantly, it was blocked from execution.
Alternatively, we could have done the opposite. Instead of blacklisting the file, we could have also chosen to whitelist the file and choose to Never Block. Once I apply that policy, like so, if I go ahead and double click it again, the file is once again allowed to run. And that’s how you blacklist and whitelist files in your environment with CrowdStrike Falcon® host.