Jump to content

Blocking Specific Programs


Recommended Posts

Is it possible to prohibit the execution of a particular program? Depending on specific conditions such as file name, digital signature, company name.... etc. instead of a hash value.

Example: I want to disable the use of anydesk on my company's computers, is there a way to do this?

Link to comment
Share on other sites

Thanks @jia_yang reply.

I mentioned AnyDesk just as an example. Using a firewall to block network connections or blocking hash-based file are among the methods. However, personally, I don't consider these good approaches for users of ESET Inspect.

Given that using ESET Inspect allows us to detect when a client executes certain programs and ESET Inspect also has the capability to block files, why are there limitations on functionalities like KillProcess?

For instance, within ESET Inspect's built-in rule: "AnyDesk Remote Desktop Silent Installation [D0443]", this rule can detect silent installations of AnyDesk, and it's set to perform actions like KillProcess. However, when this event is triggered, it doesn't block the installation or execution of AnyDesk. Shouldn't it be blocked immediately if someone unauthorized attempts this?

Link to comment
Share on other sites

  • 2 weeks later...

The problem with the "AnyDesk Remote Desktop Silent Installation [D0443]" rule being broken is something called "Safety net". Before rule action such as KillProcess is executed several properties such as Signature Type is checked. If the executable has Signature Type "Trusted" the action is not taken. This is in theory to prevent accidental system instability by killing some system process. This applies only to automated actions, and not the Kill Process button in the Console.

Unfortunately it has side-effect with dual use tools such as AnyDesk, which sometimes can have signature type set to Trusted and it prevents their killing. You can specify names that bypass this safety net feature in the C:\Program Files\ESET\INSPECT Connector\eiconnector.ini and add anydesk.exe to the ReputationExceptions= key.

More granular controls are being worked on and also to be configurable from the console, to remediate this problem.

Additionally if you feel adventurous enough you could create a custom HIPS rule (Advanced Setup->HIPS->Rules) like this. Granted it'll work only with the default paths of AnyDesk installations, but that's often enough to stop unsophisticated adversary that is just following a playbook.

HIPS.png.3286657a3d26e74feb8e052868ff87c0.png HIPS2.png.b32977ca06d054a015e666182f0c2f71.png HIPS3.png.991ee7bf3d805983fa04f74db6ea5dd8.png HIPS4.png.fc09e1b6beb8be3f315d2cb925aef4f5.png

 

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...