關於SolarWinds受到感染,Microsoft的建議
關於SolarWinds受到感染,Microsoft的建議
源起

請注意,Microsoft正在偵測複雜的資安威脅攻擊,這是包含受感染的第三方軟體(SolarWinds)。 在12月13日星期日,Microsoft Defender發佈了最新偵測機制,提醒客戶這些惡意檔案的存在,並建議隔離和觀察您的裝置。

從12月16日(星期三)太平洋標準時間下午11:00 /美國東部標準時間上午11:00開始,Microsoft變更惡意程式偵測動作,從偵測告警機制改變成直接進行惡意檔案封鎖。正如最近的威脅分析師報告-Microsoft Defender for Endpoint(windows.com)所分享。即使惡意應用程序仍在進行,依然會隔離惡意檔案

為了解決這個問題,我們強烈建議您隔離並觀察發出此警報的裝置。若特殊狀況需要使用此裝置,請執行以下動作以排除SolarWinds檔案,避免服務中斷。當您完成調查後,能夠還原這些原本設定。

執行 Microsoft Defender排除SolarWinds檔案的步驟

For manual MDAV via PowerShell Instructions
PATH Computer Configuration -> Administrative Templates -> Windows Components -> Microsoft Defender Antivirus (or Windows Defender Antivirus) -> Threats -> Specify threat alert levels at which default action should not be taken when detected.
Value name: 2147771206
Value: 6


For SCEP via GPO Instructions:
PATH: Computer Configuration -> Administrative Templates -> Windows Components -> Endpoint Protection-> Threats -> 指定當偵測到時不執行預設動作的威脅警報級別。
Value name: 2147771206
Value: 6
備註:若您沒有看到「Endpoint Protection」,請查看: Manage Endpoint Protection using Group Policies - Configuration Manager | Microsoft Docs

 

For MDAV and SCEP via SCCM Instructions:

PATH:  Assets and Compliance, Endpoint Protection -> Antimalware Policies -> Threat overrides -> Enter Threat name: Trojan:MSIL/Solorigate.BR!dhaPATH:  Assets and Compliance, Endpoint Protection -> Antimalware Policies -> <Select relevant policy> -> Threat overrides -> Enter Threat name: Trojan:MSIL/Solorigate.BR!dh

Override action: Allow 

 

For MDAV via MEM using PowerShell Instructions:

利用以下內容建立Powershell script :

Set-MpPreference -ThreatIDDefaultAction_Ids 2147771206 -ThreatIDDefaultAction_Actions 6

Name it: Allow_SolarWinds.ps1

Save it to e.g. c:\temp

Browse to https://endpoint.microsoft.com

Devices -> Windows -> Powershell scripts

Click on "+Add"

Name: Allow SolarWinds temporarily

Description:  Allow SolarWinds temporarily while patching.

Click on "Next"

Script location: Browse to e.g. c:\temp\Allow_SolarWinds.ps1

Run this script using the logged on credentials: No

Enforce script signature check: No

Run script in 64 bit Powershell Host: Yes

Click on Next

Scope tag: <default>

Click on Next

 

Assignments:

Click on "+Select groups to include"

Select the "Security Group" that has your Windows 10 based systems.

Click on Select

Click on Next

 

<Review>

Click on Add

 

Note:  For MEM (Intune) Powershell script troubleshooting, 請查看:C:\ProgramData\Microsoft Intune Management Extension\Logs\IntuneManagementExtension.log

For manual MDAV via PowerShell Instructions:

Launch PowerShell as Admin

Set-MpPreference -ThreatIDDefaultAction_Ids 2147771206 -ThreatIDDefaultAction_Actions 6

 

For manual SCEP via PowerShell Instructions:

Launch PowerShell as Admin
Import-Module “$env:ProgramFiles\Microsoft Security Client\MpProvider\MpProvider.psd1”

Set-MProtPreference -ThreatIDDefaultAction_Ids 2147771206 -ThreatIDDefaultAction_Actions 6

 

若想取得上述說明的更新內容,請參考https://aka.ms/detect_solorigate