Jump to content
ivce

How to block psexec? [In progress]

Recommended Posts

Dear,

 

one of the recommendations related to NotPetya infection is to block execution of psexec.

 

How can we perform it via KCS 10 and KES 10?

 

Regards,

Edited by ivce

Share this post


Link to post
Hi,

 

Please read this article: http://support.kaspersky.com/10905

And Application Privilege Control guide: https://help.kaspersky.com/KESWin/10SP2/en-US/39265.htm

 

Thank you!

Hi,

 

The first link is not for application startup control.

 

Appreciate if Kaspersky can provide a new category in the KSC named "PStools" so it would be easy to block from the application startup control.

 

Regards,

 

Yasir

Share this post


Link to post
Hi,

 

The first link is not for application startup control.

 

Appreciate if Kaspersky can provide a new category in the KSC named "PStools" so it would be easy to block from the application startup control.

 

Regards,

 

Yasir

 

There are two recommendations made by Kaspersky, they were to block execution of PSExec and Perfc.doc.

 

Please can someone explain how to do this using KSC 10 Policy.

 

Thanks

 

 

 

Share this post


Link to post
There are two recommendations made by Kaspersky, they were to block execution of PSExec and Perfc.doc.

 

Please can someone explain how to do this using KSC 10 Policy.

 

Thanks

Hi,

 

At this moment we are preparing detailed guide where described all settings that you need to set on KSC.

 

Thank you!

Share this post


Link to post

In Kaspersky 'Application Management' under Advanced, create a new category.  Call it 'PsExec'. The condition you create will be will be Metadata. psexesvc.exe is the metadata name of the file that you will block (not psexec.exe).

Next edit your active Kaspersky a/v policy and use the 'Application Startup Control' feature in the policy to deny the PsExec rule you created above for 'everyone'.

Note: My testing shows it to be an all or nothing rule. Trying to allow it for a single user or user group doesn't appear to work for psexec since it tries to use the 'nt authority\system' acct to start itself on remote computers regardless, even if you provide an authorized user acct on the psexec command line.

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.