Hi @Former Member 

Thank you, that was helpful!

I've reached out to the customer providing him with the information he needs to create an Expert Rule to cater for their specific requirement, i.e. create an expert rule to allow files with a specific double-extension to be read/launched by a specific process (dominodefrag.exe).

I just created my own test Expert Rule which you can see below. Do you think this would meet the customer's requirements?

Expert Rule Example

Thanks again!

Thanks @Former Member !

I'll keep you posted on how it goes.

Hi @Former Member 

I trust you are keeping well?!

The customer replied to me after I provided him with the instructions on creating an Expert Rule saying he has created one of these rules now, not on the actual file in question but rather a test one which he called New Text Document.txt.exe and it is triggering on Rule ID 413 as well as the one he created which has the ID 20002.

Please see below the entry from the Log on the device.

Test Expert Rule (triggering 2 signatures)

He created the rule locally.

Any ideas why this Expert Rule is not functioning as expected?

Thanks in advance!

Heyy @Former Member !

No problem at all, easily done! Indeed, Fridays are always welcome.... here comes the weekend (sang in a merry tone) 🙂

So, if we disable the in-built Rule ID 413 then programs executing files with double extensions other than the one specified in the Expert Rule will still be reported on or blocked, is that correct?

Also, just a small point here but if you click the little View button in the right-hand column of the 413 Rule whilst in the Signatures section of the Exploit Prevention policy, it provides a description of it. I've taken a snip of it for quick reference below and the bit I wanted to mention is highlighted. Basically it says to create an exception for legal programs that should not trigger this signature, rather than create an Expert Rule. Sorry if I'm sounding pedantic!

Rule ID 413 description

The alert the user received after he launched the file with the double extension is below.

Triggering of the double extension signature

Hopefully this will shed more light on the issue!

Thanks in advance and speak soon!

Hiya @Former Member 

Yep, that makes perfect sense! I knew there would be a logical explanation.

So, now that we've got that all straightened out, in order to create our Expert Rule (one Ring, whoops I mean Rule to rule them all 😉 ) well sort of, what would you say should go in the content of our Rule? If we take the example of the target being "New Text Document.txt.exe" and the source being "Explorer.exe". 

I created this which I think should cater for it, what do you reckon?

Rule {

Process {

Include OBJECT_NAME { -v “**” }

Exclude OBJECT_NAME { -v “SYSTEM” }

Exclude OBJECT_NAME { -v “Explorer.exe” }

}

Target {

Match THREAD {

Include OBJECT_NAME { -v “**” }

Exclude OBJECT_NAME { -v “**\New Text Document.txt.exe” }

Include -access “READ”

}

}

}

I was wondering if in our Master Replacing Rule (so to speak) should we be excluding SYSTEM?

Also, I was checking out a document written by a fellow named Debasish Mandal - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/using-expert-rules-in-ens-10-5-3-to-prevent-malicious-exploits/ not sure if you've seen it but it is pretty useful.

Thanks and catch you soon!