Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 11939 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PSEXEC exclusions

Abhijeet Nawale

Hello,

 

We have a situation where PSEXEC is getting blocked as adware, so we want to put an exception for the same while keeping the alerts coming but not blocking the same.

 

What is the best way to achieve this? I mean from application exception under antivirus policy by putting PSEXEC in authorization category? or exception from application control policy by specifying alert message and adding under authorization?

 

Looking for quick help.

 

Thanks,

Abhijeet



This thread was automatically locked due to age.
  • 0

    Can anyone provide any input/help in this please?

  • 0

    Hello Abhijeet,

    a Controlled Application is a (more or less) legitimate application that for whatever reason you don't want to be used. With ApplCtrl you have the option to report it without actually blocking it. This is a general setting though - either you report but permit all applications that are not authorized to run, or you block them. With Adware and PUA you have the option to authorize specific applications but then you won't get an alert. In other words, AFAIK permit but monitor is not possible for PUAs.
    The distinction isn't very clear, Adware and PUA has either a significant "annoyance factor" or has been used for malicious purpose (as is the case with psexec).

    Christian 

  • 0

    Hi  

    As it is being detected as Adware, the AV scanner is catching the file. It is not possible to exclude an application and then get an alert for it as well. This is as the AV will not scan the application when it is excluded. So it is not possible to get an alert for excluded applications as it defeats the purpose of exclusion. This application is not available in the application control list and so it is not possible to specify any alert for this.

  • 0 in reply to Yashraj S

    Hello Yashraj,

     

    Thanks for the reply.

     

    So that means PSEXEC exclusions only possible through anti-virus policy, and after exception no alert can be configured as well?

     

    Thanks,

    Abhijeet

  • 0 in reply to Abhijeet Nawale

    Hi  

    Yes, it is not possible to exclude an application from AV scanning and set an alert/custom alert when it is accessed.

  • 0 in reply to Yashraj S

    Thanks for confirming.

    But I believe even after exception, still sophos detects the event and sends alert via syslog/SIEM that its been authorized if configured, correct?

  • 0 in reply to Abhijeet Nawale

    Hello Abhijeet,

    If you put an AV exception in, there will be no event detection as it will be excluded before the need to record.

    If users need it but you want to control whom can have it, I would recommend creating two policies wherein PSExec is blocked on the bottom one but has an in-policy exclusion for PSExec in the other. It's a bit more of a management overhead as you have to manage two policies but there is no way around that unfortunately.

    Emile