Quantcast
Channel: Symantec Connect - Endpoint Protection - Discussions
Viewing all articles
Browse latest Browse all 10484

Application and Device Control for PSKILL and PSKLLSVC

$
0
0
I need a solution

I am using SEPM and clients on version 12.1.2015.2015.  I am trying to create an application & device rule to monitor PSEXEC and PSKILL on both the source PC and the target PC.

PSEXEC, I had no trouble with.  I can monitor both the source computer's launching of PSEXEC and the remote PC's execution of PSEXESVC to launch the process.  I'd like to do the same with PSKILL and PSKLLSVC.  My rules works like this...

I created a two separate rule that monitors the launching of PSEXEC.EXE and PSKILL.EXE.  This works perfectly for detecting when a PC runs these two apps.

I then created a third rule that monitors for the PSEXESVC.EXE and PSKLLSVC.EXE to run.

  1. Apply the rule to the following processes:  *.\psexecsvc.exe & *\pskllsvc.exe
  2. Sub-processes inherit conditions.
  3. I created a condition for launch process attempts applied to the following processes:  *
  4. I created a condition for terminate process attempts applied to the following processes:  *

This works perfectly for the PSEXESVC but not for the PSKLLSVC.  I am not sure why.  The PSEXESVC will log the name of the process was launched on the remote PC.  I would like for the PSKLLSVC to log the name of the process that was terminated on the remote.

Has anyone tried to do this with any success?

Here is a sample of log output for the PSEXESVC showing that CALC.EXE was launched using PSEXESVC.

3/8/2013 10:54User Event8AllowProductionA remote client used PsExec.exe to start the named process.Create Process03/8/2013 10:543/8/2013 10:54PsExeSvc Monitoring | PsExeSvc Launched an Appllicationx.x.x.x <IP>6360C:\Windows\PSEXESVC.EXEIDE\DiskWD... <hardware ID removed>C:\Windows\SysWOW64\calc.exe776192 BytesDefaultSYSTEMDomain

Alert

 

8466631
1362776781

Viewing all articles
Browse latest Browse all 10484

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>