CSA and Deny CMD.EXE

Answered Question
Oct 7th, 2009

Hi,

I am new to CSA and have been trying to figure out how to block the Windows cmd.exe process outright? Is anyoneableto assist or point me in the right direction

thanks?

I have this problem too.
0 votes
Correct Answer by jan.nielsen about 7 years 3 months ago

No, you should never change the built-in ruleset unless needed, in this case, you need to create a Policy, a rule module, and add an application control rule with the info i gave you. You attach the policy to the group that your hosts are in, the rule module to the policy, and generate. Just be carefull, CSA is a very powerful tool, and rules can have massive impact in your setup if you are not careful. Try it out on one machine first, this can be done be creating a group and assigning the new policy you just created to that, and then add that group to the host.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
jan.nielsen Wed, 10/07/2009 - 23:22

Are you sure you wan't to do that ? if so, just do a application control rule, with priority deny, all applications try to run "cmd.exe"

Jan

niall-wilkins Thu, 10/08/2009 - 14:01

Hi,

Thanks for the response. So do I just modify one of the existing ones? If so which one do I select as I see about 4 of them from the Desktops - All Types -> Combined Policy Rules. I have included a screen shot

Attachment: 
Correct Answer
jan.nielsen Fri, 10/09/2009 - 13:22

No, you should never change the built-in ruleset unless needed, in this case, you need to create a Policy, a rule module, and add an application control rule with the info i gave you. You attach the policy to the group that your hosts are in, the rule module to the policy, and generate. Just be carefull, CSA is a very powerful tool, and rules can have massive impact in your setup if you are not careful. Try it out on one machine first, this can be done be creating a group and assigning the new policy you just created to that, and then add that group to the host.

pmccubbin Fri, 10/09/2009 - 13:51

Jan,

You are spot-on. Never change a default rule whether it is CSA or MARS. If an application SA gives you the option of adding a new policy or cloning an old one (MARS) then you should take it.

A "5" from NYC.

Cheers!

Actions

This Discussion