Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 19 subscribers
  • Views 7422 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Feature Request - Sophos Endpoint Protection/SEC - Application Control Policy

redrover

Hello,

I have two feature requests which are related. The second option is a short term fix for the long term issue which is outlined in the first feature request.
 
First, the ability to manually add, create and delete manually created applications to a "application type" in the Application Control Policy would greatly enhance functionality and security presence of the SEC. If there were a command line tool or GUI like the deployment packager (or an integrated option in SEC) where one inputs the required information and the program validates it would work (or not) and adds to the list of application types in the console, it would be immensely useful. Overall the motive behind the application control policy is great, but it's not flexible enough to be as effective as it needs to be.
 
Second, please add "PsExec" and "PSEXESVC.exe" (which is created on the remote system (c:\windows\psexesvc.exe) as a service to complete the remote connection by PsExec) and similar "PsTools" applications from Sysinternals (http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx) to the Application Control Policy's "Application Types" so that they can be authorized or blocked as necessary.
Having the ability to create ones own applications to block, and the above submitted applications, is critical to maintaining security and control in our environment. There are many malicious applications that invoke one or more of the "PsTools" utility applications to spread and compromise other remote systems. In recent news PsExec has been found as apart of an exploit (Skellton Key Malware) where it aides the attacker in climbing laterally through the network to access to domain controllers with stolen credentials thereby spreading malware and exploiting the system to gain unauthorized access to any AD Users account. See article http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/.
 
In order to help prevent such attacks and spread of malicious content in our environment the ability to block this and similar types of applications is greatly needed. Without the ability to add application type definitions to Application Control Policies we are severely handicapped while using Sophos Endpoint Protection because we cannot react to the rapidly changing threat landscape quickly enough.
:55427


This thread was automatically locked due to age.
  • 0
    Hello redrover,

    psexec and its ilk are detected as PUAs (while one could also see them as applications which should be controlled having them in different categories might cause problems).

    As for defining your own applications - it's not as simple as it seems. It's either a dumb metadata (name, version, ...) or checksum rule - which requires constant maintenance -, or it would need a more sophisticated (version-independent) detection. I doubt that Sophos would release a tool which is capable to generate such a detection automatically (if it exists) to the public.

    Christian
    :55433
Unfiltered HTML