Hi Mohamed -Yes you can, refer to page 155 of RSA ECAT 4.2 User Guide.
Note: A module cannot be blocked using the Blocking System without first changing its
status to either blacklisted or graylisted.
To block a module using the Blocking System in the ECAT UI:
1. Do one of the following:
l Click Modules in the Main Menu.
l Double-click the machine, access the Summary tab, and select the module.
2. Do one of the following:
l Right-click the selected module and select Edit Whitelist/Blacklist Status.
l Select one or more modules and press CTRL+B to access the Edit Blacklist-Whitelist
Status dialog box.
3. The Edit Status window is displayed as shown below:
4. From the Module Status drop-down, change the module status to Blacklisted/Graylisted (if
not already done).
5. From the Category drop-down, select the appropriate category based on the type it belongs
to:
l Generic Malware
l APT: APT (Advanced Persistent Threats) is a set of stealthy and continuous computer
hacking processes, often orchestrated by humans targeting a specific entity.
l Attacker Tool
l Unidentified
l Ransomware: This is a type of malware that prevents or limits users from accessing their
system. This type of malware forces its victims to pay the ransom through certain online
payment methods in order to grant access to their systems, or to get back their data.
6. Select the type of remediation action:
l Block Only: If you select this option, the module is blocked but remains in that location.
l Block & Quarantine File: If you select this option, the module is blocked and moved to
the Quarantine folder (C:\ProgramData\EcatService\xxx) on the server and can be
accessed only by the user with appropriate permissions.
