I stare at the Paladin Sentinel Monitoring Console every morning and see what happened with our monitored servers and networks overnight. I see many patterns and similar events happening between your networks.
Here is one of my pet peeves of what I often see with a free suggestion to help keep me calm in my morning rounds.
Nearly every free "PDF tool" is inherently evil. If it starts with PDF, it probably is malware.
I am constantly seeing Windows Defender or more advanced EDR products take action against your servers for the PDF and malware of the moment .EXE. Your users are downloading this stuff and potentially putting your network at risk.
I am glad to see it often gets caught and killed. However, you have to get your users to just stop doing what they are doing.
Here is my suggestion for a free solution you can implement for this and similar nuisance items.
Whitelist your approved PDF Tool in a group policy to allow your tool to run. Promote the use of your tool to your users. Then collect the names of all these fake PDF tools that are setting off alarms and explicitly "blacklist" those tools.
If you don't want to work that hard or don't know meaningful names, implement the free File Server Resource Manager (FSRM) and just block everything that starts with PDF from being saved on your servers.
Use the same method for other programs and file types that are showing up on your servers that you'd rather not see.
Call Christina if you need help figuring out how to implement my suggestions.
-Scott Quimby, CISSP
You must be logged in to post a comment.