Jump to content

Question On Potentially Unsafe Application Protection


Recommended Posts

Will it alert on execution of SysInternals utilites such as PsExec, PsLoggedOn, and ProcDump that provide remote execution, interactive logon enumeration, and dumping of credentials within lsass.exe addresses space respectively?

Link to comment
Share on other sites

How about adding an option to this protection where these and like processes could be added by process name and executable hash value. Alert would be generated on either detection.

Blocking these processes via HIPS is next to impossible since they could be dropped into any directory and the HIPS doesn't support global wildcard specification, e.g. *\PsExec.exe.

Link to comment
Share on other sites

Thinking about this a bit more, the ideal place to add such capability would be in LiveGrid settings.

Add a section where processes could be added to its existing blacklist. Ideally, many of these existing utilities would be preloaded and all one would have to do is enable them individually. Obviously the checking would be performed by executable hash which is how I assume LiveGrid performs such checks.

Link to comment
Share on other sites

  • Administrators

My understanding is that this should be possible with application control when integrated into products in the future.

Link to comment
Share on other sites

4 hours ago, Marcos said:

My understanding is that this should be possible with application control when integrated into products in the future.

For me, the quickest interim solution to this would be to modify the HIPS to allow for a global wildcard specification such as *\PsExec.exe or *PsExec.exe. When the HIPS see such coding, it will check any starting process for a name match.

If limited resources third party solutions can do it, surely Eset can do so. As the saying goes, "it ain't rocket science."

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...