Is there any way you can block an IP address, process, or program through ECAT?
Hi Mohamed -Yes you can, refer to page 155 of RSA ECAT 4.2 User Guide.
Note: A module cannot be blocked using the Blocking System without first changing itsstatus to either blacklisted or graylisted.
To block a module using the Blocking System in the ECAT UI:1. Do one of the following:l Click Modules in the Main Menu.l Double-click the machine, access the Summary tab, and select the module.2. Do one of the following:l Right-click the selected module and select Edit Whitelist/Blacklist Status.l Select one or more modules and press CTRL+B to access the Edit Blacklist-WhitelistStatus dialog box.3. The Edit Status window is displayed as shown below:4. From the Module Status drop-down, change the module status to Blacklisted/Graylisted (ifnot already done).5. From the Category drop-down, select the appropriate category based on the type it belongsto:
l Generic Malwarel APT: APT (Advanced Persistent Threats) is a set of stealthy and continuous computerhacking processes, often orchestrated by humans targeting a specific entity.l Attacker Tooll Unidentifiedl Ransomware: This is a type of malware that prevents or limits users from accessing theirsystem. This type of malware forces its victims to pay the ransom through certain onlinepayment methods in order to grant access to their systems, or to get back their data.6. Select the type of remediation action:l Block Only: If you select this option, the module is blocked but remains in that location.l Block & Quarantine File: If you select this option, the module is blocked and moved tothe Quarantine folder (C:\ProgramData\EcatService\xxx) on the server and can beaccessed only by the user with appropriate permissions.
Retrieving data ...