This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PSEXEC exclusions

Hello,

We have a situation where PSEXEC is getting blocked as adware, so we want to put an exception for the same while keeping the alerts coming but not blocking the same.

What is the best way to achieve this? I mean from application exception under antivirus policy by putting PSEXEC in authorization category? or exception from application control policy by specifying alert message and adding under authorization?

Looking for quick help.

Thanks,

Abhijeet

This thread was automatically locked due to age.

0 Abhijeet Nawale over 4 years ago

Can anyone provide any input/help in this please?
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 4 years ago

Hello Abhijeet,

a Controlled Application is a (more or less) legitimate application that for whatever reason you don't want to be used. With ApplCtrl you have the option to report it without actually blocking it. This is a general setting though - either you report but permit all applications that are not authorized to run, or you block them. With Adware and PUA you have the option to authorize specific applications but then you won't get an alert. In other words, AFAIK permit but monitor is not possible for PUAs.
The distinction isn't very clear, Adware and PUA has either a significant "annoyance factor" or has been used for malicious purpose (as is the case with psexec).

Christian
Cancel
Vote Up 0 Vote Down

Cancel
0 Yashraj S over 4 years ago

Hi Abhijeet Nawale

As it is being detected as Adware, the AV scanner is catching the file. It is not possible to exclude an application and then get an alert for it as well. This is as the AV will not scan the application when it is excluded. So it is not possible to get an alert for excluded applications as it defeats the purpose of exclusion. This application is not available in the application control list and so it is not possible to specify any alert for this.

Thanks,

Yashraj Singha
Manager | Global Community Support
Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
0 Abhijeet Nawale over 4 years ago in reply to Yashraj S

Hello Yashraj,

Thanks for the reply.

So that means PSEXEC exclusions only possible through anti-virus policy, and after exception no alert can be configured as well?

Thanks,

Abhijeet
Cancel
Vote Up 0 Vote Down

Cancel
0 Yashraj S over 4 years ago in reply to Abhijeet Nawale

Hi Abhijeet Nawale

Yes, it is not possible to exclude an application from AV scanning and set an alert/custom alert when it is accessed.

Thanks,

Yashraj Singha
Manager | Global Community Support
Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
0 Abhijeet Nawale over 4 years ago in reply to Yashraj S

Thanks for confirming.

But I believe even after exception, still sophos detects the event and sends alert via syslog/SIEM that its been authorized if configured, correct?
Cancel
Vote Up 0 Vote Down

Cancel
0 Emile Belcourt over 4 years ago in reply to Abhijeet Nawale

Hello Abhijeet,

If you put an AV exception in, there will be no event detection as it will be excluded before the need to record.

If users need it but you want to control whom can have it, I would recommend creating two policies wherein PSExec is blocked on the bottom one but has an in-policy exclusion for PSExec in the other. It's a bit more of a management overhead as you have to manage two policies but there is no way around that unfortunately.

Emile
Cancel
Vote Up 0 Vote Down

Cancel