ESET Inspect – 目录

使用命令行

复制当前文章 URL 通过电子邮件共享

本文 (PDF) 完整文档 (PDF)

有时，文件编码器恶意软件会使用合法程序来加密和删除用户文件。RAR 压缩软件可能是这样的程序，因此我们需要创建一条规则来监控采用特定参数来加密压缩文件和删除源文件的 RAR 压缩软件的执行情况。

规则

<?xml version='1.0' encoding='UTF-8'?>

<rule>

<name>RAR Encrypts and Deletes Files [B0601]</name>

<category>Ransomware / Filecoders</category>

<os>Windows</os>

<explanation>A RAR archiver was executed, instructed to password-protect an archive, and delete the source files. If the user isn't aware of the activity, it may indicate ransomware activity.</explanation>

<benignCauses>It can be a legitimate action of the user to protect data by encrypting it.</benignCauses>

<maliciousCauses>Used by some filecoders to encrypt and delete a user's data.</maliciousCauses>

<recommendedActions>1. Investigate the activity:

* Is it a single activity or a sequence?

* What is the count and type of files involved?

* Was it initiated by the user or not?

2. What process initiated the activity?

* Is it a well known and trusted program?

* Is it signed by a trustworthy vendor?

* Scan it with your Antivirus product or check its reputation and popularity directly in the Inspect console.

* If suspicious, submit the program for further analysis.

3. Use the password from command line logged by Inspect to recover the encrypted files.</recommendedActions>

</description>

</operator>

</operator>

</process>

</definition>

</actions>

</rule>

上面的规则示例中需要注意的事项：

1.CommandLine 属性与条件 contains 配合使用以仅选择特定参数，而命令行的其余部分随意处置。

2.条件与逻辑运算符 OR 和 AND 相结合，以达到预期的结果。

˄˅