Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

CSA DENY Executing EXE's BUT NOT READING THEM.

We have CSA V4.5.616

I would like a rule that denies executing exe's but allows readings them.

The rule I have at the moment denies both.

If a user opens a directory that contains exe's the read part is triggered, I only want the rule to trigger if they try to execute, IS THERE A WAY ????

THANKS

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: CSA DENY Executing EXE's BUT NOT READING THEM.

Okay, so what you want is a rule that allows a directory listing of all files, but does not allow any of them to be executed? Do you want to prevent just users from manually running the executable, or do you want to restrict the entire system from executing them? Am I correct you're trying to protect a specific directory, and not everything on the drive?

Create a new File Set, I suggest naming it "Restricted Directories":

Directories matching: (whatever directories you're trying to restrict)

C:\Secret_Folder\**

@fixed:\PathTo\AnotherDir\**

@removable:\**

\\Office1\Data\**

@network:\Office Data\Programs\**

Files matching:

*.exe

*.com

*.cmd

*.pif

*.scr

*.bat

*.wsh

*.vbs

*.hta

Create a new Application Class, I suggest naming it "File-Executing Shells".

**\explorer.exe

**\cmd.exe

**\command.com

**\taskmgr.exe

Alternatively, you can just use both the "MS explorer" and "Command Shell" classes if they're available, but I can't find any other classes that include "taskmgr.exe" (which can invoke executables outside of Windows Explorer).

Now create another Application Class, this one will be "Directory-Restricted Executables". Put "$Restricted Directories" in the list.

Next create a new Application Control rule "Attempted Execution in Protected Directory", with the following options:

Take the following action: Deny

when

Current applications in any of the following selected classes: "File-Executing Shells"

But not in any of the following selected classes: None

attempt to run

New applications in any of the following selected classes: "Directory-Restricted Executables"

But not in any of the following selected classes: None

3 REPLIES
New Member

Re: CSA DENY Executing EXE's BUT NOT READING THEM.

What type of rule is it? Application control, File access control?

I have v 5.0, but I might be able to come up with something you could try.

New Member

Re: CSA DENY Executing EXE's BUT NOT READING THEM.

Okay, so what you want is a rule that allows a directory listing of all files, but does not allow any of them to be executed? Do you want to prevent just users from manually running the executable, or do you want to restrict the entire system from executing them? Am I correct you're trying to protect a specific directory, and not everything on the drive?

Create a new File Set, I suggest naming it "Restricted Directories":

Directories matching: (whatever directories you're trying to restrict)

C:\Secret_Folder\**

@fixed:\PathTo\AnotherDir\**

@removable:\**

\\Office1\Data\**

@network:\Office Data\Programs\**

Files matching:

*.exe

*.com

*.cmd

*.pif

*.scr

*.bat

*.wsh

*.vbs

*.hta

Create a new Application Class, I suggest naming it "File-Executing Shells".

**\explorer.exe

**\cmd.exe

**\command.com

**\taskmgr.exe

Alternatively, you can just use both the "MS explorer" and "Command Shell" classes if they're available, but I can't find any other classes that include "taskmgr.exe" (which can invoke executables outside of Windows Explorer).

Now create another Application Class, this one will be "Directory-Restricted Executables". Put "$Restricted Directories" in the list.

Next create a new Application Control rule "Attempted Execution in Protected Directory", with the following options:

Take the following action: Deny

when

Current applications in any of the following selected classes: "File-Executing Shells"

But not in any of the following selected classes: None

attempt to run

New applications in any of the following selected classes: "Directory-Restricted Executables"

But not in any of the following selected classes: None

New Member

Re: CSA DENY Executing EXE's BUT NOT READING THEM.

Richard,

Thanks,this is exactly what I wanted.

98
Views
0
Helpful
3
Replies
CreatePlease to create content