05-31-2022 02:12 AM
To mitigate cve-2022-30190 i wanted to add the file hashes of the msdt.exe binary to the blocklist; but with no effect until now.
The hashes occure in the logfile of the agent below hashcontrol as enabled, but verdict has a value "0".
Is it possible, that windows binaries are excluded from blocking by default?
i decided to block the binary for mitigation, because it's a minimal-invasiv approach, which can be reverted quickly if the issue is patched.
05-31-2022 10:59 AM
Te sugiero sigas los siguientes pasos publicados por Microsoft hasta que tengas una respuesta por parted e Cortex Palo Alto.
05-31-2022 11:59 PM
Hello,
as Luc mentioned here (https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cve-2022-30190-microsoft-support-diagnos... ) the use of custom prevention rules with the BIOC works lika a charm here.
So, this will be my solution until PA or Microsoft deliver a proper one. (Which, for PA, might be a BIOC, too 😉 )
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
