sdnian 6 Posted January 2 Share Posted January 2 Is it possible to prohibit the execution of a particular program? Depending on specific conditions such as file name, digital signature, company name.... etc. instead of a hash value. Example: I want to disable the use of anydesk on my company's computers, is there a way to do this? Link to comment Share on other sites More sharing options...
jia_yang 1 Posted January 3 Share Posted January 3 firewall service deny or give it a try. Nightowl 1 Link to comment Share on other sites More sharing options...
sdnian 6 Posted January 3 Author Share Posted January 3 Thanks @jia_yang reply. I mentioned AnyDesk just as an example. Using a firewall to block network connections or blocking hash-based file are among the methods. However, personally, I don't consider these good approaches for users of ESET Inspect. Given that using ESET Inspect allows us to detect when a client executes certain programs and ESET Inspect also has the capability to block files, why are there limitations on functionalities like KillProcess? For instance, within ESET Inspect's built-in rule: "AnyDesk Remote Desktop Silent Installation [D0443]", this rule can detect silent installations of AnyDesk, and it's set to perform actions like KillProcess. However, when this event is triggered, it doesn't block the installation or execution of AnyDesk. Shouldn't it be blocked immediately if someone unauthorized attempts this? Link to comment Share on other sites More sharing options...
ESET Staff j91321 5 Posted January 11 ESET Staff Share Posted January 11 The problem with the "AnyDesk Remote Desktop Silent Installation [D0443]" rule being broken is something called "Safety net". Before rule action such as KillProcess is executed several properties such as Signature Type is checked. If the executable has Signature Type "Trusted" the action is not taken. This is in theory to prevent accidental system instability by killing some system process. This applies only to automated actions, and not the Kill Process button in the Console. Unfortunately it has side-effect with dual use tools such as AnyDesk, which sometimes can have signature type set to Trusted and it prevents their killing. You can specify names that bypass this safety net feature in the C:\Program Files\ESET\INSPECT Connector\eiconnector.ini and add anydesk.exe to the ReputationExceptions= key. More granular controls are being worked on and also to be configurable from the console, to remediate this problem. Additionally if you feel adventurous enough you could create a custom HIPS rule (Advanced Setup->HIPS->Rules) like this. Granted it'll work only with the default paths of AnyDesk installations, but that's often enough to stop unsophisticated adversary that is just following a playbook. Link to comment Share on other sites More sharing options...
Recommended Posts