CSA and Deny CMD.EXE

Answered Question
Oct 7th, 2009
User Badges:

Hi,

I am new to CSA and have been trying to figure out how to block the Windows cmd.exe process outright? Is anyoneableto assist or point me in the right direction


thanks?

Correct Answer by jan.nielsen about 7 years 7 months ago

No, you should never change the built-in ruleset unless needed, in this case, you need to create a Policy, a rule module, and add an application control rule with the info i gave you. You attach the policy to the group that your hosts are in, the rule module to the policy, and generate. Just be carefull, CSA is a very powerful tool, and rules can have massive impact in your setup if you are not careful. Try it out on one machine first, this can be done be creating a group and assigning the new policy you just created to that, and then add that group to the host.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
jan.nielsen Wed, 10/07/2009 - 23:22
User Badges:
  • Gold, 750 points or more

Are you sure you wan't to do that ? if so, just do a application control rule, with priority deny, all applications try to run "cmd.exe"


Jan

niall-wilkins Thu, 10/08/2009 - 14:01
User Badges:

Hi,

Thanks for the response. So do I just modify one of the existing ones? If so which one do I select as I see about 4 of them from the Desktops - All Types -> Combined Policy Rules. I have included a screen shot



Attachment: 
Correct Answer
jan.nielsen Fri, 10/09/2009 - 13:22
User Badges:
  • Gold, 750 points or more

No, you should never change the built-in ruleset unless needed, in this case, you need to create a Policy, a rule module, and add an application control rule with the info i gave you. You attach the policy to the group that your hosts are in, the rule module to the policy, and generate. Just be carefull, CSA is a very powerful tool, and rules can have massive impact in your setup if you are not careful. Try it out on one machine first, this can be done be creating a group and assigning the new policy you just created to that, and then add that group to the host.

pmccubbin Fri, 10/09/2009 - 13:51
User Badges:
  • Silver, 250 points or more

Jan,

You are spot-on. Never change a default rule whether it is CSA or MARS. If an application SA gives you the option of adding a new policy or cloning an old one (MARS) then you should take it.


A "5" from NYC.


Cheers!

Actions

This Discussion