This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Traps Child Process Protection for Individual Excel Document

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Traps Child Process Protection for Individual Excel Document

Go to solution
BrandonWright
L3 Networker

‎07-24-2019 12:25 PM - last edited on ‎07-25-2019 12:47 PM by Retired Member

Hello All,

 

Some business processes may utilize Excel documents with embedded macros which launch external applications, which are suspicious, but are later found to be part of a business process.  Rather than whitelisting Excel.exe (pretty broad exception) to be able to execute these processes, is there a way to get an exception for just a specific excel document?  Of course this is given that the document can be singled out by name.

 

Thanks,

 

Brandon

0 Likes Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to BrandonWright

‎07-25-2019 06:56 AM

@BrandonWright,

So your maco execution can be whitelisted by going into the Malware profile and looking at the "Examine Office Files with Macros" area, which will allow you to add a Whitelisted file. This should stop Traps from triggering the Malicious Child Process protections. If not, how you would whitelist the process is by looking at the detection logs and seeing how it identifies the Parent/chile process and the CLP that was utilized. You would then build the chain under "Prevent Maclicious Chile Process Execution".

View solution in original post

0 Likes Likes
5 REPLIES 5

Go to solution
BPry
Cyber Elite
Cyber Elite

‎07-24-2019 12:57 PM

@BrandonWright,

What verision of Traps are you using. Regardless of version, you can whitelist a file on a case by case basis, instead of whitelsting the excel process which would be rather ill-advisable. 

0 Likes Likes

Go to solution
BrandonWright
L3 Networker
In response to BPry

‎07-24-2019 07:24 PM

Hello @BPry,

 

I don't believe your statement is accurate, you can't really whitelist an excel document file, since as I understand it, Traps protects and evaluates processes/executables on execution, and in the scenario I'm referring to, it would be the Excel.exe process executing and running displaying/presenting a file that has a macro that causes Excel.exe to run a child process that appears suspicious to Traps.  This means Whitelisting the xlsx filename or file hash likely does nothing.

 

How do you make a child process protection exception to an individual Excel document file?  For example, there is nothing that I have access to that allows me to turn off child process protection on Excel.exe when it is opening a certain file, but does support have this ability?  The reason I'm asking is that  the only option I have is to make an exception to a process name (process name being Excel.exe, which I already know is not a good idea).  I guess to reiterate I was looking for whether it's possible for support to create this type of exception as an Advanced Exception, or is there anyone out there that has had this scenario, and what did they do?

 

I'm using Traps 6.1 by the way.

 

Thanks,

 

Brandon

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to BrandonWright

‎07-25-2019 06:56 AM

@BrandonWright,

So your maco execution can be whitelisted by going into the Malware profile and looking at the "Examine Office Files with Macros" area, which will allow you to add a Whitelisted file. This should stop Traps from triggering the Malicious Child Process protections. If not, how you would whitelist the process is by looking at the detection logs and seeing how it identifies the Parent/chile process and the CLP that was utilized. You would then build the chain under "Prevent Maclicious Chile Process Execution".

0 Likes Likes

Go to solution
BrandonWright
L3 Networker
In response to BPry

‎07-25-2019 07:00 AM

Hello @BPry 

 

Thanks for the update on this, I'll give this a try today, and update the post if it works.

 

 

0 Likes Likes

Go to solution
BrandonWright
L3 Networker
In response to BrandonWright

‎07-25-2019 08:57 AM

Hello @BPry ,

 

So I tried adding a file to the whitelist for the Malware profile under "Examine Office Files with Macros".  This allows the file to open, but as I suspected, A "suspicious process creation" event is still triggered when the macro is run.  This is because in this scenario Excel.exe is starting a child process of schtasks.exe.     

 

You are correct though in your statement about if that doesn't work, you can put it in the "Malware Profile" and allow Excel.exe to launch something like schtasks.exe with very specific parameters.  In the end, it would be allowing Excel.exe as a whole to perform a very specific task, which isn't all that bad.  As an example, I've attached a screenshot of the exception I made for a fictional excel file I created with a macro to set a scheduled task.

 

ExcelCppExceptionExample.png

 

Wildcards can be used in the Command Line Params as well.

 

Thanks,

 

Brandon

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks