Versions Compared

Version Old Version 2 New Version 3
Changes made by

Mark Zuk

Mark Zuk

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Contents

Easy heading
linkText4
linkText10
linkText3
linkText6
linkText5
relatedLinksLabels
linkText2
linkText1
headingTagsH1,H2,H3
sidebarMaxHeight450
linkType2Page
linkType3Page
linkType1Page
linkType10Page
sidebarTitleON THIS PAGE
linkUrl3
linkUrl4
linkUrl1
linkUrl2
linkUrl10
includedPageModeDisable_Included_Pages
linkText8
linkText7
relatedLinksOrderLabels_First
sidebarModeOpened
headingNumberingModeDisable_Numbering
linkText9
sidebarMarginRight20
relatedLinksTargetNew_Window
relatedLinksTitleRELATED LINKS
linkUrl9
linkUrl7
linkUrl8
numberedHeadingTagsH1,H2,H3
linkUrl5
linkUrl6
linkType8Page
linkType9Page
linkType6Page
headingLinkTextModeWrap
linkType7Page
linkType4Page
linkType5Page
sidebarWidth240
sidebarTop160
headingLinkExpandModeCollapse_All_By_Default
headingLinkIndent10

...

If a proxy server is configured, it will be displayed in the command output.

Powershell:

$proxySettings = Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings'

if ($proxySettings.ProxyEnable -eq 1)

{

Write-Output "Proxy Server: $($proxySettings.ProxyServer)"

}

else {

Write-Output "Proxy is not enabled."

}

If proxy is set, this will be the result:

...

Excluding these paths from AV/EDR scans will help prevent any disruptions to GYTPOL's functionality and ensure accurate reporting and analysis. It's important to keep these exclusions in place to maintain the proper operation of GYTPOL and avoid unnecessary alerts or errors.

GYTPOL certificate whitelisting

In some cases, whitelisting the specified paths isn't sufficient, and you need to add a vendor's certificate to the EDR. To obtain the certificate file, open the Certificates snap-in in MMC, navigate to Local Machine, and locate the GYTPOL LTD certificate in Trusted Publishers.

Ensure this certificate is whitelisted in your EDR, as well as any executable or process that runs with it.

Here's how to open the Certificates snap-in using the Microsoft Management Console (MMC):

  1. Open the Run dialog:

    • Press Windows key + R on your keyboard.

  2. Launch MMC:

    • In the Run dialog box, type mmc and press Enter.

  3. Add the Certificates snap-in:

    • In the MMC window, click on File in the top-left corner, and then select Add/Remove Snap-in.

  4. Select the Certificates snap-in:

    • In the Add or Remove Snap-ins dialog box, find and select Certificates from the list on the left, then click Add.

  5. Choose the appropriate account:

    • You will be prompted to choose the snap-in to manage certificates for:

      • Select Computer account and click Next.

      • Choose Local computer (the computer this console is running on), then click Finish.

  6. Locate the GYTPOL LTD certificate:

    • Back in the MMC console, expand Certificates (Local Computer) in the left pane.

    • Expand Trusted Publishers and then click on Certificates.

    • Locate the GYTPOL LTD certificate in the right pane.

  7. Whitelisting the certificate:

    • Ensure to whitelist this certificate in your EDR, as well as any executable or process that runs with it.

This will allow you to view and manage certificates on your local machine using MMC.

...

Cybereason version with GYTPOL whitelisting:

Starting from Cybereason versions 22.1 (.180 and above) and 21.2 (.480 andabove), GYTPOL is already whitelisted. This means that GYTPOL has been added to the list of trusted applications by Cybereason's Endpoint Detection and Response (EDR) solution. As a result, there should not be any blocks or disruptions caused by Cybereason EDR for GYTPOL operations.

...