How to restrict new malwares

irod87
New Contributor

Does anyone know what I need to put in restricted softwares to prevent the 2 new macOS malwares from running?

OSX.Backdoor.Eleanor

OSX.Keydnap

7 REPLIES 7

Lhsachs
Contributor II

Below is a screen shot of the restriction I put in2f17a3a128a44bb9aa6f5a2761c3fa1f

emily
Valued Contributor III
Valued Contributor III

You might also consider deploying and running Malwarebytes or having SavingThrow set up as a rolling policy.

CapU
Contributor III

According to the licensing of Malwarebytes, you can't run the free version unless you are a Student or a home user. You can't set up Malwarebytes to run automagically or un attended.

gachowski
Valued Contributor II

Are we 100% sure that the process is EasyDoc Converter.app?

I wasn't able to find the app to test myself : )

Thanks

C

jlbrown
New Contributor

Won't it be blocked by Apple's xProtect? (Although I see the layered defence argument).

mm2270
Legendary Contributor II

For something like this, if you plan on using Restricted Software, I recommend trying to get the actual executable name and not the app bundle name, and putting that into Restricted Software. Using the app bundle name is not very reliable, because the malware writer or even a person could easily rename it before running it, and your Restricted Software process will miss it since its looking for the bundle name.

cwaldrip
Valued Contributor

@CapU Malwarebyes won't scan automatically, but you can still do it using their published malware profiles. Look through this thread...
https://jamfnation.jamfsoftware.com/discussion.html?id=13053

It's not exactly up-to-date, but I can still get it to work. It will at least identify effected machines and you can go from there.