Solved: CSA DENY Executing EXE's BUT NOT READING THEM.

cbigas · ‎08-21-2006

We have CSA V4.5.616

I would like a rule that denies executing exe's but allows readings them.

The rule I have at the moment denies both.

If a user opens a directory that contains exe's the read part is triggered, I only want the rule to trigger if they try to execute, IS THERE A WAY ????

THANKS

RichardSW · ‎09-09-2006

Okay, so what you want is a rule that allows a directory listing of all files, but does not allow any of them to be executed? Do you want to prevent just users from manually running the executable, or do you want to restrict the entire system from executing them? Am I correct you're trying to protect a specific directory, and not everything on the drive?

Create a new File Set, I suggest naming it "Restricted Directories":

Directories matching: (whatever directories you're trying to restrict)

C:\Secret_Folder\**

@fixed:\PathTo\AnotherDir\**

@removable:\**

\\Office1\Data\**

@network:\Office Data\Programs\**

Files matching:

*.exe

*.com

*.cmd

*.pif

*.scr

*.bat

*.wsh

*.vbs

*.hta

Create a new Application Class, I suggest naming it "File-Executing Shells".

**\explorer.exe

**\cmd.exe

**\command.com

**\taskmgr.exe

Alternatively, you can just use both the "MS explorer" and "Command Shell" classes if they're available, but I can't find any other classes that include "taskmgr.exe" (which can invoke executables outside of Windows Explorer).

Now create another Application Class, this one will be "Directory-Restricted Executables". Put "$Restricted Directories" in the list.

Next create a new Application Control rule "Attempted Execution in Protected Directory", with the following options:

Take the following action: Deny

when

Current applications in any of the following selected classes: "File-Executing Shells"

But not in any of the following selected classes: None

attempt to run

New applications in any of the following selected classes: "Directory-Restricted Executables"

But not in any of the following selected classes: None

View solution in original post

joseph.hamilton · ‎08-22-2006

What type of rule is it? Application control, File access control?

I have v 5.0, but I might be able to come up with something you could try.

RichardSW · ‎09-09-2006

Okay, so what you want is a rule that allows a directory listing of all files, but does not allow any of them to be executed? Do you want to prevent just users from manually running the executable, or do you want to restrict the entire system from executing them? Am I correct you're trying to protect a specific directory, and not everything on the drive?

Create a new File Set, I suggest naming it "Restricted Directories":

Directories matching: (whatever directories you're trying to restrict)

C:\Secret_Folder\**

@fixed:\PathTo\AnotherDir\**

@removable:\**

\\Office1\Data\**

@network:\Office Data\Programs\**

Files matching:

*.exe

*.com

*.cmd

*.pif

*.scr

*.bat

*.wsh

*.vbs

*.hta

Create a new Application Class, I suggest naming it "File-Executing Shells".

**\explorer.exe

**\cmd.exe

**\command.com

**\taskmgr.exe

Alternatively, you can just use both the "MS explorer" and "Command Shell" classes if they're available, but I can't find any other classes that include "taskmgr.exe" (which can invoke executables outside of Windows Explorer).

Now create another Application Class, this one will be "Directory-Restricted Executables". Put "$Restricted Directories" in the list.

Next create a new Application Control rule "Attempted Execution in Protected Directory", with the following options:

Take the following action: Deny

when

Current applications in any of the following selected classes: "File-Executing Shells"

But not in any of the following selected classes: None

attempt to run

New applications in any of the following selected classes: "Directory-Restricted Executables"

But not in any of the following selected classes: None

cbigas · ‎09-10-2006

Richard,

Thanks,this is exactly what I wanted.