This issue needs a solution.

How to block psexec.exe using SEP firewall or IPS

Created: 23 Sep 2012
Mohan Babu's picture
Mohan Babu
Login to vote
0 0 Votes

We are looking a way to block the psexec.exe on the entire network using firewall or IPS. But we dont want to block using ADC.

We applied rule in firewall to block and log the traffic but its not working.

Rule that we created.

Block psexec.exe. Application based rule in SEP firewall using filefinger print. 

Note: psexec is using microsoft-ds port so we cannot block the port since its used for Microsoft Directory Services and lot of stuff.

Is there a way to block the psexec.exe execution on the network using NTP ?

Filed Under

Tags:
, , , , , ,

Comments

Ashish-Sharma
Accredited
23
Sep
2012
Votes
-1

Check this

Check this download

Application Control Policy for psexec.exe

https://www-secure.symantec.com/connect/downloads/application-control-policy-psexecexe

Thanks In Advance

Ashish Sharma

SEPM Knowledgebase Documents  

 

Mohan Babu
23
Sep
2012
Votes
0

As i mentioned previously i

As i mentioned previously i can able to block using ADC but i would like to do from NTP.

ADC is used to block the psexec.exe  executing it locally.

What if some attacker try to connect my pc remotely using psexec.

It is not possible to apply ADC rule to the attacker machine.

Is there a way  in NTP.

 

Mohan Babu

moglie20@gmail.com

+91 9884382160

Your satisfaction is very important to us.If you find above information helpful or it has resolved your issue...please mark it accordingly :)

Ashish-Sharma
Accredited
23
Sep
2012
Votes
0

If you are going to use

If you are going to use PSEXEC on a remote computer you need to Open these ports:

- Ports 135 and 445 (TCP) .

Try  create one firewall rule and block both TCP ports.

Check this rule working or not.

 

Thanks In Advance

Ashish Sharma

SEPM Knowledgebase Documents  

 

Brian81
Trusted Advisor
Certified
24
Sep
2012
Votes
0

If you block 445 and 139 you

If you block 445 and 139 you won't be able to use file sharing, just an fyi

SEP Knowledge Base

Endpoint SWAT

Mohan Babu
24
Sep
2012
Votes
0

Ya that is the problem i

Ya that is the problem i cannot block the port since its used for filesharing & Microsoft Directory Services ....

Any options or suggestions other than this is more helpful.............

Mohan Babu

moglie20@gmail.com

+91 9884382160

Your satisfaction is very important to us.If you find above information helpful or it has resolved your issue...please mark it accordingly :)

Brian81
Trusted Advisor
Certified
24
Sep
2012
Votes
+1

Obviously the easiest way to

Obviously the easiest way to do this is to use ADC. But you said you don't want to.

You can't use the firewall because you block ports critical to file sharing.

The next best way is to use the IPS however you will need to write a custom siganture to do this as SEP does not have a signature for it.

You can setup 2 clients and install wireshark on the destination PC. Do a display filter to filter on port 139 and 445. From here you can start to piece together a working signature to block psexec.

SEP Knowledge Base

Endpoint SWAT

Mohan Babu
25
Sep
2012
Votes
0

Nice idea Brian... Thanks in

Nice idea Brian... Thanks in advance this will take some time... But i will try that and let you know the status.....

Mohan Babu

moglie20@gmail.com

+91 9884382160

Your satisfaction is very important to us.If you find above information helpful or it has resolved your issue...please mark it accordingly :)