Gravity Zone Software Execution Policy Bypass

Moisés Cerqueira · 2024-04-04T12:30:47+00:00

There was an error rendering this rich post.

Hi guys, all right? During the last week, I've been testing some features of GravityZone and one of them was the program execution blocking policy.

From what I verified, we can block the execution of a software both by the absolute path and by the Hash (MD5/SHA).

I used an EDR test file without changes and it was blocked; however after I used the program "MD5-Hash-Changer" to change the hash value of the .exe, I was able to run it without major problems.

Is there any way to counter this technique?

Find more posts tagged with

Comments

Flexx

https://community.bitdefender.com/en/discussion/99442/gravity-zone-software-execution-policy-bypass

Kindly contact Bitdefender Business Support by visiting https://www.bitdefender.com/support/contact-us.html?last_page=BusinessCategory

Additionally, @Andrei_S Enterprise from Bitdefender Enterprise team can check on this for you.

Regards

Andrei_S Enterprise

Hello @Moisés Cerqueira ,

From my knowledge the hash would change in case of am update or manually using a dedicate tool such as MD5-Hash-Changer, for your scenario you can use the absolute path exclusions because there is no way to know the new hash of the file. There are alternative workaround such us importing a list of hashes which might help in some case.

These are described here: https://www.bitdefender.com/business/support/en/77209-151159-edr-blocklist.html#UUID-154fd736-b8d9-c586-b666-379c0263b589 and https://www.bitdefender.com/business/support/en/77209-376320-xdr.html#UUID-ee015dea-db36-2503-76a4-b14a320e6111_section-idm4604662972948833795503092008

Alternatively, there is the Application Control feature available for OnPremise infrastructures, you can find more details about it here: https://www.bitdefender.com/business/support/en/77212-342956-application-control.html#UUID-e848d1fa-d753-d1d6-26ee-ceb8cc4aa7dd

You can also reach out to our Enterprise Support Team which might be able to provide additional solutions for your scenario.

Kind Regards,