This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Traps Child Process Protection for Individual Excel Document
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- Cloud Delivered Security Services
- Endpoint (Traps) Discussions
- Traps Child Process Protection for Individual Excel Document
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-24-2019 12:25 PM - last edited on 07-25-2019 12:47 PM by Retired Member
Hello All,
Some business processes may utilize Excel documents with embedded macros which launch external applications, which are suspicious, but are later found to be part of a business process. Rather than whitelisting Excel.exe (pretty broad exception) to be able to execute these processes, is there a way to get an exception for just a specific excel document? Of course this is given that the document can be singled out by name.
Thanks,
Brandon
5 REPLIES 5
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-25-2019 08:57 AM
Hello @BPry ,
So I tried adding a file to the whitelist for the Malware profile under "Examine Office Files with Macros". This allows the file to open, but as I suspected, A "suspicious process creation" event is still triggered when the macro is run. This is because in this scenario Excel.exe is starting a child process of schtasks.exe.
You are correct though in your statement about if that doesn't work, you can put it in the "Malware Profile" and allow Excel.exe to launch something like schtasks.exe with very specific parameters. In the end, it would be allowing Excel.exe as a whole to perform a very specific task, which isn't all that bad. As an example, I've attached a screenshot of the exception I made for a fictional excel file I created with a macro to set a scheduled task.
Wildcards can be used in the Command Line Params as well.
Thanks,
Brandon
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks