This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

wmic.exe and Application Control

Has anyone else tried to convince Sophos to add wmic.exe to the list of applications that can be blocked or monitored with Application Control? Their own guidance on Emotet/Trickbot/Ryuk suggests that use of wmic.exe should be restricted, as it is increasingly used for lateral movement and persistence. Similarly, the 'hacking with Dr Bright' webinar they put on recently made the same recommendation. However, they refuse to add it to Application Control, with the rationale that "WMI is an integral part of the Windows operating system and blocking it could cause unexpected issues". They're obviously conflating wmic.exe with WMI, which is quite frustrating as they're not at all the same thing.

This thread was automatically locked due to age.

Parents

0 Shweta over 4 years ago

Hi Rob Humby

I certainly understand your concern, but unfortunately, it would not possible to add wmic.exe as a Controlled Application as it has too many dependencies on other services. If in case we block it, it can create issues elsewhere in the OS, and hence we cannot add this under the application control list.

Shweta

Community Support Engineer | Sophos Technical Support
Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
0 Rob Humby over 4 years ago in reply to Shweta

Thanks for your reply, but it doesn't make any sense. Yes, wmic is dependent on certain services, but blocking wmic will not have any knock-on effect on those services, that's completely backwards! Again, you appear to be confusing wmic and WMI, which are two different things. Microsoft themselves recommend blocking wmic: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Rob Humby over 4 years ago in reply to Shweta

Thanks for your reply, but it doesn't make any sense. Yes, wmic is dependent on certain services, but blocking wmic will not have any knock-on effect on those services, that's completely backwards! Again, you appear to be confusing wmic and WMI, which are two different things. Microsoft themselves recommend blocking wmic: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data