Follina vulnerability - our workaround to deal with it

Dealing with Follina vulnerability is pretty challenging since the traditional method of having macros disabled for infected files doesn’t help anymore. The way it works is completely different than any other cases - you just need to open a text file to run a dangerous script. With no patch available yet, here’s our workaround to address this issue.

In short, opening a Word document downloads an external HTML file that in turn, activates the ms-msdt MS Protocol. This is how the MSDT is launched and it may execute any code in PowerShell.

Microsoft officially endorsed to break the relationship between ms-msdt: URL and MSDT. To protect yourself from Follina vulnerability, go to Axence nVision? Console in:

Users -> All Users -> Atlas Info -> Blockades -> Application Blocking → and then block the msdt.exe

It is also advisable to create an automatic report displaying the employee's accounts on which msdt.exe was run and checking it on a regular basis. In nVision, such a report can be automatically generated and sent to the indicated e-mail address.

It is also worth considering permanently disabling PowerShell from being run by employees. Our experience shows that the vast majority of organizations do not have such a blockade, and thus, make themselves more vulnerable to potential attacks.

Here’s the way you can do that:

Users -> All Users -> About Atlas -> Blockades -> Application Blocking → and then, block the powershell.exe

In this case, it's also a good idea to set up automatic reports showing which computers PowerShell is run on. If you want to find out more information about Follina vulnerability, check out our article.