Version

6.0.2.x and 7.x

Topic

This document describes how to block the execution of caspol.exe and IEExec.exe to bypass Bit9's application whitelisting as discussed from the security blog that was posted in mid-January 2014.

Steps

Before implementation, the rules should be reviewed to confirm suitability for the target environment. While the paths shown in the following rules should work for most environments, it is possible that the path supplied will need to be adjusted to work properly

Although these rules are given as block rules, it is good practice to first implement as a report rule, and then monitor for executions to determine the potential impact to the environment. The action on the rule can easily be changed to a block when ready.

Block rule for caspol.exe

Rule Type:  Execution Control Execute Action:  Block Path or File:  <Windows>\Microsoft.Net\Framework*\caspol.exe                      <Windows>\winsxs\*\caspol.exe Process:  Any Process User or Group:  Any User

Block rule for IEExec.exe

Rule Type:  Execution Control Execute Action:  Block Path or File:  <Windows>\Microsoft.Net\Framework*\IEExec.exe                      <Windows>\winsxs\*\IEExec.exe Process:  Any Process User or Group:  Any User

References

Original blog post describing technique – Application Whitelist Bypass Using IEExec.exe

http://www.room362.com/blog/2014/01/16/application-whitelist-bypass-using-ieexec-dot-exe/

MS Information on Caspol:

http://msdn.microsoft.com/en-us/library/vstudio/cb6t8dtz(v=vs.100).aspx​

MS Information on IEExec:

http://support.microsoft.com/kb/822485

Security Changes in the .Net Framework 4

http://msdn.microsoft.com/en-us/library/dd233103(v=VS.100).aspx

Obsolete Members in the .NET Framework 4

http://msdn.microsoft.com/en-us/library/vstudio/ee471421(v=vs.100).aspx