UpSight Security Client Update 1/11/2023
Happy New Year! With the new year a refresh to the UpSight Client is now posted! Your UpSight Security client should update automatically to version 1734.
Exception rules work! The toggle in the UI actually does in fact generate a rule exception rule on the fly now. Internally this ended up being a fair amount of effort across our graph storage layer, rule exception templates, UI changes and extending out test automation. In the big picture this is going to be really helpful in "closing the loop" on when we have rules that false so we can learn from the crowd, and you hopefully won't ever have to use this more than a handful of times. The next big lift is in fact closing that loop, so at the moment all the slider does is solve your problem.
More tokens protected! In addition to the Exodus protections, we talked about in our Blog... FWIW: I had some time in airports recently to read further into Redline Stealer and Filezilla credentials are now protected.
Stopping attacks earlier! The more interesting changes (now that exceptions work!) we have introduced a few more enforcement rules to prevent common initial access techniques such as enabling PowerShell and creating files intended to obscure the true file type (unicode tricks, double file extensions and the like). No matter how careful you are, "Windows" is a UI (explorer.exe) layer on top of an OS layer (win32) on top of another OS (NTOS)... and the abstraction leaks. Visually you might see 'Important file.docx' in the explorer UI with the correct icon and everything, but in fact it is actually "Important file.docx.exe" to the OS and when you click on it, you end up running some malware. There are a number of such "appearances can be deceptive" sort of tricks that we keep an eye out for now.
More Performance! We 'fixed' Yara to evaluate statements in their correct algebraic order. We use Yara a lot to figure out what kind of file you are double clicking on... is it a docx or is it an exe? With these changes we don't need to read the entire file before determining that the file isn't a type, we are interested in. Happy to share details on how this was accomplished... but we've 'forked' Yara at this point so won't be attempting to push a patch back upstream.