This is an Application Control Policy used to block psexec.exe.
This policy will block psexec.exe based on:
- fingerprint
-services/processes
-filename
The action is block and notification is set to display a pop up.
There is a backdoor in the policy. If you run it with the following argument SEP will allow it to run:
psexec -ed
To import you will first want to download the .dat policy file
1. Open the Application Control Policy that displays the various pre-built templates.
2. Right click in the white area and select Import Policy.
3. Select this .dat file (unzip the file first)
4. It will notifiy you that the name is the same as other policies so just add any new name and hit okay
5. You will get two other notifications about the name being the same and just cancel these.
6. This policy should now have been added to all of the templates.
Hi, imported the policy ran the following command psexec -ed \\computername ipconfig
The policy blocks and notifies but the -ed doesn't bypass. I also did checksum on the psexec that i have and it matches up. Anything else i could be missing?
Thanks
Nice KB.
Nice shared. I will try the same at test Server.