Endpoint Protection

 View Only

  • 1.  How to block psexec.exe using SEP firewall or IPS

    Posted Sep 23, 2012 10:18 PM

    We are looking a way to block the psexec.exe on the entire network using firewall or IPS. But we dont want to block using ADC.

    We applied rule in firewall to block and log the traffic but its not working.

    Rule that we created.

    Block psexec.exe. Application based rule in SEP firewall using filefinger print. 

    Note: psexec is using microsoft-ds port so we cannot block the port since its used for Microsoft Directory Services and lot of stuff.

    Is there a way to block the psexec.exe execution on the network using NTP ?



  • 2.  RE: How to block psexec.exe using SEP firewall or IPS

    Posted Sep 23, 2012 10:23 PM

    Check this download

    Application Control Policy for psexec.exe

    https://www-secure.symantec.com/connect/downloads/application-control-policy-psexecexe



  • 3.  RE: How to block psexec.exe using SEP firewall or IPS

    Posted Sep 23, 2012 10:41 PM

    As i mentioned previously i can able to block using ADC but i would like to do from NTP.

    ADC is used to block the psexec.exe  executing it locally.

    What if some attacker try to connect my pc remotely using psexec.

    It is not possible to apply ADC rule to the attacker machine.

    Is there a way  in NTP.

     



  • 4.  RE: How to block psexec.exe using SEP firewall or IPS

    Posted Sep 23, 2012 11:14 PM

    If you are going to use PSEXEC on a remote computer you need to Open these ports:

    - Ports 135 and 445 (TCP) .

    Try  create one firewall rule and block both TCP ports.

    Check this rule working or not.

     



  • 5.  RE: How to block psexec.exe using SEP firewall or IPS

    Posted Sep 24, 2012 09:10 AM

    If you block 445 and 139 you won't be able to use file sharing, just an fyi



  • 6.  RE: How to block psexec.exe using SEP firewall or IPS

    Posted Sep 24, 2012 08:26 PM

    Ya that is the problem i cannot block the port since its used for filesharing & Microsoft Directory Services ....

    Any options or suggestions other than this is more helpful.............



  • 7.  RE: How to block psexec.exe using SEP firewall or IPS

    Posted Sep 24, 2012 09:25 PM

    Obviously the easiest way to do this is to use ADC. But you said you don't want to.

    You can't use the firewall because you block ports critical to file sharing.

    The next best way is to use the IPS however you will need to write a custom siganture to do this as SEP does not have a signature for it.

    You can setup 2 clients and install wireshark on the destination PC. Do a display filter to filter on port 139 and 445. From here you can start to piece together a working signature to block psexec.



  • 8.  RE: How to block psexec.exe using SEP firewall or IPS

    Posted Sep 25, 2012 09:40 PM

    Nice idea Brian... Thanks in advance this will take some time... But i will try that and let you know the status.....