Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
665
Views
5
Helpful
4
Replies

CSA and Deny CMD.EXE

Go to solution
niall-wilkins
Level 1
Level 1

‎10-07-2009 04:43 PM - edited ‎03-09-2019 10:37 PM

Hi,

I am new to CSA and have been trying to figure out how to block the Windows cmd.exe process outright? Is anyoneableto assist or point me in the right direction

thanks?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jan.nielsen
Level 7
Level 7
In response to niall-wilkins

‎10-09-2009 01:22 PM

No, you should never change the built-in ruleset unless needed, in this case, you need to create a Policy, a rule module, and add an application control rule with the info i gave you. You attach the policy to the group that your hosts are in, the rule module to the policy, and generate. Just be carefull, CSA is a very powerful tool, and rules can have massive impact in your setup if you are not careful. Try it out on one machine first, this can be done be creating a group and assigning the new policy you just created to that, and then add that group to the host.

View solution in original post

4 Replies 4

Go to solution
jan.nielsen
Level 7
Level 7

‎10-07-2009 11:22 PM

Are you sure you wan't to do that ? if so, just do a application control rule, with priority deny, all applications try to run "cmd.exe"

Jan

0 Helpful

Go to solution
niall-wilkins
Level 1
Level 1
In response to jan.nielsen

‎10-08-2009 02:01 PM

Hi,

Thanks for the response. So do I just modify one of the existing ones? If so which one do I select as I see about 4 of them from the Desktops - All Types -> Combined Policy Rules. I have included a screen shot

Preview file
180 KB
0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7
In response to niall-wilkins

‎10-09-2009 01:22 PM

No, you should never change the built-in ruleset unless needed, in this case, you need to create a Policy, a rule module, and add an application control rule with the info i gave you. You attach the policy to the group that your hosts are in, the rule module to the policy, and generate. Just be carefull, CSA is a very powerful tool, and rules can have massive impact in your setup if you are not careful. Try it out on one machine first, this can be done be creating a group and assigning the new policy you just created to that, and then add that group to the host.

Go to solution
pmccubbin
Level 5
Level 5
In response to jan.nielsen

‎10-09-2009 01:51 PM

Jan,

You are spot-on. Never change a default rule whether it is CSA or MARS. If an application SA gives you the option of adding a new policy or cloning an old one (MARS) then you should take it.

A "5" from NYC.

Cheers!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents