Endpoint Protection

Hi All,

Any idea or base ADC as per above subject that can be used?

Thanks

I just ran a test by adding powershell.exe to the default "Block applications from running [AC1]" rule, and this worked fine.  Are you experiencing problems?

See attached picture of the dialog box I get from a successful block of powershell using SEP.

Oh yeah, don't forget to do powershell_ise.exe as well (if you're trying to stop powershell in general).

Hi ins007,

Here's an article with lots of good resources and links....

What You Can Do About Powershell Threats
https://www.symantec.com/connect/articles/what-you-can-do-about-powershell-threats

Thanks for the input.

Will start labbing soon, I do notice there are quite a numbers of articles shared

e.g

https://www.symantec.com/connect/articles/preventing-powershell-running-office

https://www.symantec.com/connect/articles/block-and-detect-advanced-threats-using-symantec-application-control-rules

Just curious, is there any big different if we block generic (powershell_ise.exe & powershell.exe) compared like sample in links mentioned?

broader coverage but more false positive? for strict environment this would be good right?

SEP is fine for blocking but PowerShell should really be restricted in the environment to only those who need it:

https://technet.microsoft.com/en-us/library/2007.09.powershell.aspx

PowerShell Web Access Gateway is something to be looked at:

https://searchservervirtualization.techtarget.com/definition/Microsoft-Windows-PowerShell-Web-Access-Windows-PWA