Recently there have been reports of fake updates spoofing Google Chrome, Mozilla Firefox, and Internet Explorer start pages. When the user clicks the upgrade option, the JavaScript file is downloaded and the malicious code is executed. There are several ways you can protect your workstation by blocking or changing this default behavior.
Block JavaScript in email gateway
The first thing to do is to block the .js and .jse file types on your email gateway. Regular users have no reason to send or receive JavaScript files. You should regularly review all blocked file types and allow only those you wish to receive. You should also periodically review the files allowed through firewalls, email, file transfers, and other means. Clearly inform users of allowed and disallowed file types. In the case of web-based portals, you can easily tell what is allowed and what is not by documenting on the site.
Relink untrusted file types to other file types
There is another method that has existed for a long time. This is a way to relink one file type to another. Open the default app on your workstation, then click 'Select default app by file type'. Find the .js file type and adjust the settings to open with Notepad.
To apply to the entire domain, go to 'Administrative Templates', 'Preferences/Control Panel Settings/Folder Options' from 'Computer Configuration' and use Group Policy. Add a new file type under “New file type property” as follows.
Follow the same steps for the .jse file to disable JavaScript execution for both file types. If a user needs this specific file type, you can set a specific computer group and organizational unit in Group Policy to apply the reconnection policy to only that user and exclude file type reconnection for users who require JavaScript functionality.
Reduced attack surface
Next, Microsoft Defender ATP's Attack Surface Reduction (ASR) feature can be used to further strengthen network security. You can protect against JavaScript or VBScript with just a Windows 10 Professional license without a Windows 10 Enterprise license or Microsoft 365 E5. Without an enterprise license, some of the management functions provided by Defender for Endpoint, including monitoring, analytics, and workflow, and the reporting and configuration functions of the Microsoft 365 Security Center, are not available.
In Windows 10 version 1709 (RS3, build 16299) or later, you can set ASR rules to block JavaScript and VB scripts. There are many ways to set up ASR rules. If Intune is available, select 'Devices' and then 'Configuration Profiles'. Create a new protection profile or select an existing endpoint protection profile. In 'Profile Type', select 'Endpoint Protection' and name your profile. If you select an existing profile, select 'Properties' and then 'Settings'. Under'Configuration Settings', select 'Microsoft Defender Exploit Guard' and scroll down to the 'Attack Surface Reduction' section. Scroll down and select js/vbs related settings.
The rules that Intune uses to block script threats are as follows.
- Obfuscated js/vbs/ps/macro code
- Js/vbs running payload download from the internet (no exceptions)
The rules I use to block email threats are as follows:
- Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)
If you have access to the Microsoft Endpoint Configuration Manager, go to Assets & Compliance, Endpoint Protection, and Microsoft Defender Exploit Guard. From here, select 'Home', then select 'Create Exploit Guard Policy' and then 'Next'. Select the ASR rules to block or audit. Review the settings and select 'Next' to create the policy.
In both Intune and the Configurator, all you have to do is select the action you want to set for the rule to be activated. There is no need to know the GUID and there are no other complicated steps.
Next, if you are using a Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy object you want to configure, and select 'Edit'. Go to 'Computer Configuration' and select 'Administrative Templates'. Expand the tree with Windows components, then go to 'Microsoft Defender Antivirus', 'Windows Defender Exploit Guard', and then 'Attack Surface Reduction'. Select'Configure Attack Surface Reduction Rule' and 'Use'. Here, you set the individual state for each rule in the optional session. 'Display… Select', enter the rule ID in the 'Value Name' column (D3E037E1-3EB8-44C8-A917-57927947596D), and enter the selected status in the 'Value' column as follows:
To configure the same settings using PowerShell, run the command line at an administrative PowerShell prompt. -Rule: Block execution of executable content downloaded from JavaScript or VB script.
Set-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled
Then you can use the Get-MPPreference cmdlet to check the rule status and whether it was applied successfully.
It is advisable to audit rather than fully implement the above-described protection measures for at least 30 days. If the audit determines that there are no problems, the safeguards can be fully deployed. As always, you should consider what safeguards you have in place for your end users.
0 Comments