Sign in to follow this  
itman

Question On Potentially Unsafe Application Protection

Recommended Posts

Will it alert on execution of SysInternals utilites such as PsExec, PsLoggedOn, and ProcDump that provide remote execution, interactive logon enumeration, and dumping of credentials within lsass.exe addresses space respectively?

Share this post


Link to post
Share on other sites

No. If you scan them with PUA detection enabled, they won't be detected.

Share this post


Link to post
Share on other sites

How about adding an option to this protection where these and like processes could be added by process name and executable hash value. Alert would be generated on either detection.

Blocking these processes via HIPS is next to impossible since they could be dropped into any directory and the HIPS doesn't support global wildcard specification, e.g. *\PsExec.exe.

Share this post


Link to post
Share on other sites

Thinking about this a bit more, the ideal place to add such capability would be in LiveGrid settings.

Add a section where processes could be added to its existing blacklist. Ideally, many of these existing utilities would be preloaded and all one would have to do is enable them individually. Obviously the checking would be performed by executable hash which is how I assume LiveGrid performs such checks.

Share this post


Link to post
Share on other sites

My understanding is that this should be possible with application control when integrated into products in the future.

Share this post


Link to post
Share on other sites
4 hours ago, Marcos said:

My understanding is that this should be possible with application control when integrated into products in the future.

For me, the quickest interim solution to this would be to modify the HIPS to allow for a global wildcard specification such as *\PsExec.exe or *PsExec.exe. When the HIPS see such coding, it will check any starting process for a name match.

If limited resources third party solutions can do it, surely Eset can do so. As the saying goes, "it ain't rocket science."

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.