Can I use EventSentry to deploy a kill file or vaccine for stopping ransomware/viruses such as Bad Rabbit?

Article ID: 368
Category: Security
Applies to: All
Updated: 2017-10-26

Yes, this is only takes a few minutes to configure.

  1. Use the EventSentry console toolbar and click Tools > Embedded Scripts

  2. Make a new script and give it a name that ends with .bat, such as blockbadrabbit.bat

  3. Select the new script and create its contents on the right. Paste these lines:

  4. if not exist "%systemroot%\infpub.dat" echo > %systemroot%\infpub.dat
    if not exist "%systemroot%\cscc.dat" echo > %systemroot%\cscc.dat
    icacls %systemroot%\infpub.dat /inheritance:r
    icacls %systemroot%\cscc.dat /inheritance:r

  5. Click OK to close the Embedded Scripts menu, and click Home > Save in the toolbar

  6. Make a new System Health package and right-click it, choose Add > Application Scheduler

  7. Select Application Scheduler and then click the + button in its settings on the right

  8. Choose a schedule for how often you'd like to ensure the kill file exists (e.g. every 24 hours), and then choose the name of your Embedded Script in the filename drop-down, and choose Local for the isolation mode drop-down at the bottom, and click OK

  9. Right-click your new System Health package again and either choose Global to run it on all of your agents, or choose Assign Package and select the groups/machines you'd like to run it on

  10. Click Home > Save in the toolbar, and then push your new settings (Groups > Push Configuration > Go) and then restart the agent services to generate the script (Groups > Other Actions \/ Restart > Go)