puthearith070

How to block command line and allow batch scripts in Kaspersky Embedded? [In progress]

25 posts in this topic

Hi,

 

I just have installed and tested applications whitelist on Kaspersky Embedded, but I don't know are there any options or ways to allow the batch scripts and block opening CMD.EXE in Kaspersky Embedded.

 

Any guides for that?

 

BR,

Thearith

 

 

 

 

Share this post


Link to post
Share on other sites
Hi,

 

I just have installed and tested applications whitelist on Kaspersky Embedded, but I don't know are there any options or ways to allow the batch scripts and block opening CMD.EXE in Kaspersky Embedded.

 

Any guides for that?

 

BR,

Thearith

Hi,

 

Please create incident via CompanyAccount for your question.

 

Thank you!

Share this post


Link to post
Share on other sites
Hi,

 

Please create incident via CompanyAccount for your question.

 

Thank you!

Hi,

 

Because I think my question was not incident that didn't require for support there.

 

Oh I see we also can ask question about Kaspersky production.

Thank you I will put the question there.

 

Thank you!

Share this post


Link to post
Share on other sites

Hi,

 

Please tell us the number of that request.

 

Thank you!

Share this post


Link to post
Share on other sites
Hi,

 

Please tell us the number of that request.

 

Thank you!

Hi,

 

I have created as below:

 

"Your request has been created. Request ID: INC000007402427"

 

Thank you!

Share this post


Link to post
Share on other sites
I just have installed and tested applications whitelist on Kaspersky Embedded, but I don't know are there any options or ways to allow the batch scripts and block opening CMD.EXE in Kaspersky Embedded.

 

Any guides for that?

Hello Thearith,

 

It is impossible to block CMD.EXE but leave the possibility to launch the batch scripts - as the CMD.EXE is the one that interprets them.

 

The only way to do that would be to rewrite the batch scripts into JavaScript or VBScript - those do not depend on CMD.EXE.

 

Share this post


Link to post
Share on other sites
Hello Thearith,

 

It is impossible to block CMD.EXE but leave the possibility to launch the batch scripts - as the CMD.EXE is the one that interprets them.

 

The only way to do that would be to rewrite the batch scripts into JavaScript or VBScript - those do not depend on CMD.EXE.

I think some batch scripts cannot convert to JavaScript or VBScript.

Anyways, I will use another way to do that by using group policy.

 

Thank for your info.

Share this post


Link to post
Share on other sites

Hello Oleg,

Until now KESS 2.0, can solve that issue?

Thanks,
Thearith

Share this post


Link to post
Share on other sites
1 hour ago, puthearith070 said:

Hello Oleg,

Until now KESS 2.0, can solve that issue?

Thanks,
Thearith

We are clarifying this possibility with the responsible specialist. Please expect a reply within this topic soon.

Thank you.

Share this post


Link to post
Share on other sites
2 hours ago, puthearith070 said:

Hello Oleg,

Until now KESS 2.0, can solve that issue?

Thanks,
Thearith

The suggested way of doing this is the following:

1. Create an allowing rule for a dedicated user (other than Everyone) to run cmd.exe; this should be used to run scripts
2. For Everyone (allowed to start anything with a digital signature by MS), create a SHA256-based exclusion for cmd.exe (to prevent it from running otherwise).

Thank you.

Share this post


Link to post
Share on other sites

"Issuer":"O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US"

Above is a digital signature by MS, right?

Share this post


Link to post
Share on other sites

Hi,

I think I need to generate choose on Digital certificate from the task, and then need to exclude the CMD.exe as SHA256-based on several MD Digital Signature, right?

Please refer to attachment, any suggestion please kindly let me know.

Thanks,

thearith

2017_07_17_16_54_46_Kaspersky_Security_Center_10.jpg

Digital Signature.jpg

Share this post


Link to post
Share on other sites
24 minutes ago, puthearith070 said:

Hi,

I think I need to generate choose on Digital certificate from the task, and then need to exclude the CMD.exe as SHA256-based on several MD Digital Signature, right?

Please refer to attachment, any suggestion please kindly let me know.

Thanks,

thearith

Yes, there needs to be a global rule for Everyone to allow application with this signature, a specific blocking rule for Everyone from the SHA256 has of CMD.EXE, and a specfic allow rule for a specially dedicated user to start CMD.EXE. Scripts then need to be run on behalf of that particular user.

Thank you.

Share this post


Link to post
Share on other sites

The dedicated user for starting CMD.EXE and Batch Scripts is the same user, right? because my situation the current user logon as Administrator user.

Share this post


Link to post
Share on other sites
1 hour ago, puthearith070 said:

The dedicated user for starting CMD.EXE and Batch Scripts is the same user, right? because my situation the current user logon as Administrator user.

The dedicated user account is required so that scripts (stll via cmd) can be started under it; while the user that interactively logs into the system will have no access to cmd.

Thank you.

Share this post


Link to post
Share on other sites

But my situation is using user Administrator to logon and then running batch also. Especially the system supports only user Administrator privilege.

If we compare between Diginal signature and SHA-256, which one is secure? please suggestion.

 

Thanks!

Share this post


Link to post
Share on other sites

Hi,

Please use SHA-256.

Thank you!

Share this post


Link to post
Share on other sites

If we use the SHA-256, can take more memory consumption than Digital certificate in KESS?

Share this post


Link to post
Share on other sites

Hi,

The mentioned scenario didn't tested. For what reason you want to get this information?

Thank you!

Share this post


Link to post
Share on other sites

Hi,

Because I want to setup the application control with more secure on ATM machine while the resource RAM and CPU is limited.

Thank you!

Share this post


Link to post
Share on other sites

Yes, I am using on my ATMs, but I just want to know comparison which one is more secure and the performance also.

Share this post


Link to post
Share on other sites
2 hours ago, puthearith070 said:

Yes, I am using on my ATMs, but I just want to know comparison which one is more secure and the performance also.

Hello.

You can find both features of KESS and its system requirements on the support site page, as well as compare those with KES. Naturally, KES has more features but has a higher demand for resources.

Thank you.

Share this post


Link to post
Share on other sites

Hi,

After I have installed KESS with default deny  on SHA-256, it takes around 130MB for RAM that is acceptable, but I didn't yet test on full scan how much it takes because the task always failed as below:

Internal task error occurred. Error code: 0x0007. Subsystem code: 0x6 (WP). For more details go to the Kaspersky Lab Technical Support site: https://click.kaspersky.com/?hl=en-US&link=error&pid=ess&version=2.0.0.0&error=B6X7X1X126X

Also I created the incidence INC000008046296 yesterday.

Thank you!

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now