itman 1,748 Posted May 15, 2018 Share Posted May 15, 2018 Will it alert on execution of SysInternals utilites such as PsExec, PsLoggedOn, and ProcDump that provide remote execution, interactive logon enumeration, and dumping of credentials within lsass.exe addresses space respectively? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,272 Posted May 15, 2018 Administrators Share Posted May 15, 2018 No. If you scan them with PUA detection enabled, they won't be detected. Link to comment Share on other sites More sharing options...
itman 1,748 Posted May 15, 2018 Author Share Posted May 15, 2018 How about adding an option to this protection where these and like processes could be added by process name and executable hash value. Alert would be generated on either detection. Blocking these processes via HIPS is next to impossible since they could be dropped into any directory and the HIPS doesn't support global wildcard specification, e.g. *\PsExec.exe. Link to comment Share on other sites More sharing options...
itman 1,748 Posted May 16, 2018 Author Share Posted May 16, 2018 Thinking about this a bit more, the ideal place to add such capability would be in LiveGrid settings. Add a section where processes could be added to its existing blacklist. Ideally, many of these existing utilities would be preloaded and all one would have to do is enable them individually. Obviously the checking would be performed by executable hash which is how I assume LiveGrid performs such checks. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,272 Posted May 16, 2018 Administrators Share Posted May 16, 2018 My understanding is that this should be possible with application control when integrated into products in the future. Link to comment Share on other sites More sharing options...
itman 1,748 Posted May 16, 2018 Author Share Posted May 16, 2018 4 hours ago, Marcos said: My understanding is that this should be possible with application control when integrated into products in the future. For me, the quickest interim solution to this would be to modify the HIPS to allow for a global wildcard specification such as *\PsExec.exe or *PsExec.exe. When the HIPS see such coding, it will check any starting process for a name match. If limited resources third party solutions can do it, surely Eset can do so. As the saying goes, "it ain't rocket science." Link to comment Share on other sites More sharing options...
Recommended Posts