Apr 26 2024 12:14 PM
Hello. Hoping someone can help me understand how to confirm (and possibly modify) the behavior of MDE for Linux regarding threat policies.
Here's a folder containing EICAR:
$ ls test_me/
eicar.txt
It is properly detected as EICAR:
$ mdatp scan custom --path /home/analyst/test_me
Scan has finished
1 file(s) scanned
1 threat(s) detected
Threat(s) found
Id: "20a180da-feef-49a3-bec0-c23c9947d138"
Name: Virus:DOS/EICAR_Test_File
Type: "virus"
Status: "infected"
However, the file is not deleted or quarantined, because the status is "allowed":
$ sudo mdatp threat get --id "20a180da-feef-49a3-bec0-c23c9947d138"
Id: "20a180da-feef-49a3-bec0-c23c9947d138"
Name: Virus:DOS/EICAR_Test_File
Type: "virus"
Detection time: Fri Apr 26 15:02:09 2024
Status: "allowed"
Path: "/home/analyst/test_me/eicar.txt"
File size: 69
Sha256 hash: 131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267
How does MDE know to allow this? There are no threat families allowed:
$ mdatp threat allowed list
No threat families.
There are no policies defined by default (at least it doesn't seem like it...the output is just two rows of equal signs):
$ mdatp threat policy list
=====================================
=====================================
I looked into how to set threat policies, thinking maybe the default is to allow everything. It appears there are only two types of threat policies: archive bombs and potentially unwanted applications (PUA):
$ mdatp threat policy set
Configure a threat handling policy:
--type arg Threat type. Accepted values: archive_bomb,
potentially_unwanted_application
--action arg Action to take when a threat is encountered. Accepted
values: off, audit, block
Eicar is definitely not an archive bomb. Maybe it is a PUA, so I set the policy to block:
$ sudo mdatp threat policy set --type potentially_unwanted_application --action block
Threat policy modified successfully
$ mdatp threat policy list
=====================================
Threat type: potentially_unwanted_application
Action: block
=====================================
I scanned the file again and no change in behavior - it is still "allowed."
Thinking MDE only allows EICAR because it knows it's just for testing, I went ahead and threw a Stuxnet rootkit driver into the folder and scanned again. It was properly detected as Stuxnet, but still was just "allowed".
$ mdatp scan custom --path /home/analyst/test_me
Scan has finished
2 file(s) scanned
2 threat(s) detected
Threat(s) found
Id: "0ac534db-024d-4497-8509-3b2b5e218a6d"
Name: Trojan:WinNT/Stuxnet.B
Type: "trojan"
Status: "infected"
Id: "a633de95-628a-4c89-8b29-693b7be32f1e"
Name: Virus:DOS/EICAR_Test_File
Type: "virus"
Status: "infected"
How does one configure MDE to actually delete or quarantine threats? Is this only possible with full system scans and not on-demand/custom scans?
Apr 26 2024 12:27 PM