10-07-2009 04:43 PM - edited 03-09-2019 10:37 PM
Hi,
I am new to CSA and have been trying to figure out how to block the Windows cmd.exe process outright? Is anyoneableto assist or point me in the right direction
thanks?
Solved! Go to Solution.
10-09-2009 01:22 PM
No, you should never change the built-in ruleset unless needed, in this case, you need to create a Policy, a rule module, and add an application control rule with the info i gave you. You attach the policy to the group that your hosts are in, the rule module to the policy, and generate. Just be carefull, CSA is a very powerful tool, and rules can have massive impact in your setup if you are not careful. Try it out on one machine first, this can be done be creating a group and assigning the new policy you just created to that, and then add that group to the host.
10-07-2009 11:22 PM
Are you sure you wan't to do that ? if so, just do a application control rule, with priority deny, all applications try to run "cmd.exe"
Jan
10-08-2009 02:01 PM
10-09-2009 01:22 PM
No, you should never change the built-in ruleset unless needed, in this case, you need to create a Policy, a rule module, and add an application control rule with the info i gave you. You attach the policy to the group that your hosts are in, the rule module to the policy, and generate. Just be carefull, CSA is a very powerful tool, and rules can have massive impact in your setup if you are not careful. Try it out on one machine first, this can be done be creating a group and assigning the new policy you just created to that, and then add that group to the host.
10-09-2009 01:51 PM
Jan,
You are spot-on. Never change a default rule whether it is CSA or MARS. If an application SA gives you the option of adding a new policy or cloning an old one (MARS) then you should take it.
A "5" from NYC.
Cheers!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide