05-11-2023 02:24 PM
I'm attempting to use XDR to block older versions of an application, and only allow the few latest releases. There are hundreds of older versions of this application so blocking each one by hash is not really an option. Also the application's install path and process executable have the same name with every version so blocking by path or executable name is not an option. I've been trying to create either a process BIOC to block the installed exe's of the older versions or a file BIOC to prevent the installer of the older versions to run, but I'm fairly new to XDR and XQL so I haven't had luck getting either one to work properly. Anyone have any experience with a task like this or a good reference to use for assistance?
05-14-2023 04:58 AM
Hi @bjchappell and thank you for writing to Live Community.
Since you mentioned hundreds of of older versions of this app, but you want to enable only a select few, have you considered tacking this from a different perspective?
You can try blocking all versions of the application using a prevention profile and only allow-list the last few versions by hash. Of course, this also means you will have to keep the allow-list up to date whenever a new version is released.
Hope this helps!
05-14-2023 08:06 PM
How about using a BIOC where the filename and path match but the hashes don't match? The hashes in the list should be the ones approved for use, and the condition should be "!=". Essentially, that'd pinpoint all executions where the filename and path match but the approved hashes won't be detected. The allowed list of hashes is known to you, finite and is updated on a periodic basis based on your organization's compliance requirement.
Here's a sample BIOC based on a previously accepted solution (see answer to 2nd request): Make the changes in the BIOC definition to meet your requirements. When you click "Test", you should be able to see the events that are detected by the BIOC.
You can append additional hashes by separating them with a "|" sign (unicode here).
Add the finalized BIOC to a restrictions profile. That should do the trick.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!