Video Screencast Help

How to block psexec.exe using SEP firewall or IPS

Created: 23 Sep 2012 | 7 comments

We are looking a way to block the psexec.exe on the entire network using firewall or IPS. But we dont want to block using ADC.

We applied rule in firewall to block and log the traffic but its not working.

Rule that we created.

Block psexec.exe. Application based rule in SEP firewall using filefinger print. 

Note: psexec is using microsoft-ds port so we cannot block the port since its used for Microsoft Directory Services and lot of stuff.

Is there a way to block the psexec.exe execution on the network using NTP ?

Comments 7 CommentsJump to latest comment

Mohan Babu's picture

As i mentioned previously i can able to block using ADC but i would like to do from NTP.

ADC is used to block the psexec.exe  executing it locally.

What if some attacker try to connect my pc remotely using psexec.

It is not possible to apply ADC rule to the attacker machine.

Is there a way  in NTP.

 

Mohan Babu

moglie20@gmail.com

+91 9884382160

Your satisfaction is very important to us.If you find above information helpful or it has resolved your issue...please mark it accordingly :)

Ashish-Sharma's picture

If you are going to use PSEXEC on a remote computer you need to Open these ports:

- Ports 135 and 445 (TCP) .

Try  create one firewall rule and block both TCP ports.

Check this rule working or not.

 

Thanks In Advance

Ashish Sharma

 

 

.Brian's picture

If you block 445 and 139 you won't be able to use file sharing, just an fyi

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mohan Babu's picture

Ya that is the problem i cannot block the port since its used for filesharing & Microsoft Directory Services ....

Any options or suggestions other than this is more helpful.............

Mohan Babu

moglie20@gmail.com

+91 9884382160

Your satisfaction is very important to us.If you find above information helpful or it has resolved your issue...please mark it accordingly :)

.Brian's picture

Obviously the easiest way to do this is to use ADC. But you said you don't want to.

You can't use the firewall because you block ports critical to file sharing.

The next best way is to use the IPS however you will need to write a custom siganture to do this as SEP does not have a signature for it.

You can setup 2 clients and install wireshark on the destination PC. Do a display filter to filter on port 139 and 445. From here you can start to piece together a working signature to block psexec.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mohan Babu's picture

Nice idea Brian... Thanks in advance this will take some time... But i will try that and let you know the status.....

Mohan Babu

moglie20@gmail.com

+91 9884382160

Your satisfaction is very important to us.If you find above information helpful or it has resolved your issue...please mark it accordingly :)