Question On Potentially Unsafe Application Protection

[itman 1,659]

Will it alert on execution of SysInternals utilites such as PsExec, PsLoggedOn, and ProcDump that provide remote execution, interactive logon enumeration, and dumping of credentials within lsass.exe addresses space respectively?

[Marcos 5,070]

No. If you scan them with PUA detection enabled, they won't be detected.

[itman 1,659]

How about adding an option to this protection where these and like processes could be added by process name and executable hash value. Alert would be generated on either detection.

Blocking these processes via HIPS is next to impossible since they could be dropped into any directory and the HIPS doesn't support global wildcard specification, e.g. *\PsExec.exe.

[itman 1,659]

Thinking about this a bit more, the ideal place to add such capability would be in LiveGrid settings.

Add a section where processes could be added to its existing blacklist. Ideally, many of these existing utilities would be preloaded and all one would have to do is enable them individually. Obviously the checking would be performed by executable hash which is how I assume LiveGrid performs such checks.

[Marcos 5,070]

My understanding is that this should be possible with application control when integrated into products in the future.

[itman 1,659]

4 hours ago, Marcos said:

My understanding is that this should be possible with application control when integrated into products in the future.

For me, the quickest interim solution to this would be to modify the HIPS to allow for a global wildcard specification such as *\PsExec.exe or *PsExec.exe. When the HIPS see such coding, it will check any starting process for a name match.

If limited resources third party solutions can do it, surely Eset can do so. As the saying goes, "it ain't rocket science."