There have been several recent reports of fake updaters that spoof Google Chrome, Mozilla Firefox, and Internet Explorer landing pages. When the user clicks on the upgrade option, a JavaScript file is downloaded and executes malware. You have several options to block or change the default behavior to better protect workstations.
Block JavaScript at the email gateway
First and foremost, block .js and .jse file types at the email gateway. There is no logical reason to be receiving or sending JavaScript files to the average user. Review all the file types you block on a regular basis and allow only those file types you want to receive. You should also regularly review the files you allow through firewalls, email, file transfers and any other means. Clearly communicate to your users what file types are and are not allowed. For web-based portals, you can easily do this by documenting what is and is not allowed on the site.
Reassociate untrusted file types with another file type
Here’s another method that has been around for many years: You can reassociate a given file type with another file type. On a single workstation, open the default apps and then click on “Choose default apps by file type”. Find the .js file type and adjust it to be opened with Notepad.
Susan BradleyFor domain wide, use Group Policy by going to “Computer Configuration”, then “Administrative templates”, and then “Preferences / Control Panel Settings / Folder Options”. Add the new file type as shown below under “New File Type Properties”.
Susan BradleyDo the same for .jse file types to block both file types to be launched from JavaScript. If some users need these specific file types, you can set up specific groups of computers and organizational units in Group Policy and apply reassociation policies only to them and exclude the file type reassociation to those that still need JavaScript ability.
Attack surface reduction
Next, you can use attack surface reduction (ASR) capabilities in Microsoft Defender ATP to further defend your network. Even with a license of Windows 10 Professional and not the full license of Windows 10 Enterprise or Microsoft 365 E5, you can gain protections against JavaScript or VBScript. Without an Enterprise license, you lose some management capabilities including monitoring, analytics and workflows, which are available in Defender for Endpoint, as well as reporting and configuration capabilities in the Microsoft 365 Security Center.
With Windows 10, version 1709 (RS3, build 16299) or greater you can set up an ASR rule to block JavaScript and VBScript. To set up ASR rules, you can use a variety of methods. If you have access to Intune, select “Devices”, then “Configuration profiles”. Create a new protection profile or choose an existing endpoint protection profile. For “Profile type”, select “Endpoint Protection”. Name the profile. If you've chosen an existing profile, select “Properties” and then “Settings”. Under “Configuration settings”, choose “Microsoft Defender Exploit Guard” and scroll to the “Attack Surface Reduction” section. Scroll down and chose those settings related to js/vbs.
In my Intune, I have access to the following rules that prevent script threats:
- Obfuscated js/vbs/ps/macro code
- Js/vbs executing payload downloaded from Internet (no exceptions)
Then I have the following rules to prevent email threats:
- Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)
If you have access to Microsoft Endpoint Configuration Manager, go to “Assets and Compliance”, then “Endpoint Protection”, then “Microsoft Defender Exploit Guard”. Now select “Home” and then “Create Exploit Guard Policy”. Enter a name and a description, select “Attack Surface Reduction”, and select “Next”. Choose the specific ASR rules you want to block or audit. Review the settings and select “Next” to create the policy.
For both Intune and Configuration Manager, you merely need to choose the actions you want to set for the rule you want to enable. It is not necessary to know GUIDs or other confusing steps.
Next if you use Group Policy management computer, open the Group Policy Management Console, right-click on the Group Policy object you want to configure and select “Edit”. Go to “Computer configuration” and select “Administrative templates”. Expand the tree to Windows components then go to “Microsoft Defender Antivirus”, then “Windows Defender Exploit Guard”, then “Attack Surface Reduction”. Select “Configure Attack surface reduction rules” and then “Enabled”. Then set the individual state for each rule in the options section. Select “Show...” and enter the rule ID in the “Value name” column (D3E037E1-3EB8-44C8-A917-57927947596D) and your chosen state in the “Value” column as follows
Disable = 0Block (enable ASR rule) = 1Audit = 2
To use PowerShell to set the same setting, run a command line at the Administrator PowerShell prompt:
Rule: Block JavaScript or VBScript from launching downloaded executable content:
Set-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled
You can then use the Get-MPPreference cmdlet to check the rule’s status and if it’s been successfully applied.
I recommend beginning these with auditing rather than fully enabling them for at least 30 days. Once you deem that there are no issues, you can fully deploy the protection. As always, make sure you review what protections you have in place for your end users.