File block (.bat)

%3CLINGO-SUB%20id%3D%22lingo-sub-2148395%22%20slang%3D%22en-US%22%3EFile%20block%20(.bat)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2148395%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20trying%20to%20block%20a%20batch%20script%20(.bat)%20and%20somehow%20failing%20at%20this.%3C%2FP%3E%3CP%3EI've%20added%20the%20file%20hash%20value%20(SHA256)%20to%26nbsp%3BSettings%20%5C%20Rules%20%5C%20Indicators%20(obtained%20from%20endpoint's%20timeline).%3C%2FP%3E%3CP%3EThe%20endpoint%20is%20running%20Windows%2010%20v20H2%2C%26nbsp%3BWindows%20Defender%20AV%20and%20Cloud-based%20protection%20is%20enabled.%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20anything%20else%20that%20I'm%20missing%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2150314%22%20slang%3D%22en-US%22%3ERe%3A%20File%20block%20(.bat)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2150314%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F717318%22%20target%3D%22_blank%22%3E%40jcescut%3C%2FA%3EI%20noticed%20that%20some%20indicator%20rules%20takes%20time%20on%20my%20environment%2C%20is%20it%20still%20the%20same%20issue%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2152326%22%20slang%3D%22en-US%22%3ERe%3A%20File%20block%20(.bat)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2152326%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F50314%22%20target%3D%22_blank%22%3E%40Ambarish%20RH%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20rerun%20the%20test%20on%20a%20different%20computer%20(Win10%20v1909)%2C%20this%20time%2C%20after%2010%20to%2015%20minutes%2C%20Windows%20Defender%20AV%20quarantined%20the%20files.%20Once%20the%20first%20file%20from%20the%20list%20of%20indicators%20was%20detected%20(9%20file%20hashes%20on%20the%20list)%20auto%20remediation%20started%20on%20the%20endpoint%2C%20during%20which%20all%20the%20other%20custom%20file%20indicators%20were%20recognized%20and%20quarantined.%3C%2FP%3E%3CP%3EThen%2C%20I%20was%20curious%20what%20will%20happen%20if%20I%20restore%20the%20just%20quarantined%20files%20(%E2%80%9C%25ProgramFiles%25%5CWindows%20Defender%5CMpCmdRun.exe%E2%80%9D%20%E2%80%93Restore%20%E2%80%93Name%20EUS%3AWin32%2FCustomEnterpriseBlock!cl%20%E2%80%93All)%2C%20and%20so%20I%20did.%20%3A)%3C%2Fimg%3E%20I%20was%20able%20to%20access%20the%20restored%20files%20and%20only%20after%20~5%20minutes%20AV%20kicked-in%2C%20and%20once%20again%20the%20auto%20remediation%20started%20(MsMpEng.exe%2C%201%20CPU%20core%20100%25%20utilized)%2C%20and%20slowly%2C%20one%20file%20by%20one%2C%20put%20the%20same%20files%20back%20in%20the%20quarantine.%3C%2FP%3E%3CP%3EI%20was%20expecting%20for%20the%20process%20to%20happen%20much%20more%20quickly%2C%20or%20even%20better%2C%20that%20I%20wouldn't%20be%20allowed%20to%20access%20the%20files.%3CBR%20%2F%3ENonetheless...the%20important%20thing%20is%20that%20the%20file%20block%20functionality%20works.%20Although...I%20would%20say%20that%20there%20is%20room%20for%20improvement.%20%3Ap%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I'm trying to block a batch script (.bat) and somehow failing at this.

I've added the file hash value (SHA256) to Settings \ Rules \ Indicators (obtained from endpoint's timeline).

The endpoint is running Windows 10 v20H2, Windows Defender AV and Cloud-based protection is enabled. 

Is there anything else that I'm missing?

 

Thanks!

2 Replies

@jcescutI noticed that some indicator rules takes time on my environment, is it still the same issue?

@Ambarish RH 

I've rerun the test on a different computer (Win10 v1909), this time, after 10 to 15 minutes, Windows Defender AV quarantined the files. Once the first file from the list of indicators was detected (9 file hashes on the list) auto remediation started on the endpoint, during which all the other custom file indicators were recognized and quarantined.

Then, I was curious what will happen if I restore the just quarantined files (“%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock!cl –All), and so I did. :) I was able to access the restored files and only after ~5 minutes AV kicked-in, and once again the auto remediation started (MsMpEng.exe, 1 CPU core 100% utilized), and slowly, one file by one, put the same files back in the quarantine.

I was expecting for the process to happen much more quickly, or even better, that I wouldn't be allowed to access the files.
Nonetheless...the important thing is that the file block functionality works. Although...I would say that there is room for improvement. :p