Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Blocking caspol.exe and IEExec.exe

Blocking caspol.exe and IEExec.exe

Version

6.0.2.x and 7.x

Topic

This document describes how to block the execution of caspol.exe and IEExec.exe to bypass Bit9's application whitelisting as discussed from the security blog that was posted in mid-January 2014.

Steps

Before implementation, the rules should be reviewed to confirm suitability for the target environment. While the paths shown in the following rules should work for most environments, it is possible that the path supplied will need to be adjusted to work properly

Although these rules are given as block rules, it is good practice to first implement as a report rule, and then monitor for executions to determine the potential impact to the environment. The action on the rule can easily be changed to a block when ready.

Block rule for caspol.exe

Rule Type:  Execution Control

Execute Action:  Block

Path or File:  <Windows>\Microsoft.Net\Framework*\caspol.exe

                     <Windows>\winsxs\*\caspol.exe

Process:  Any Process

User or Group:  Any User

Block rule for IEExec.exe

Rule Type:  Execution Control

Execute Action:  Block

Path or File:  <Windows>\Microsoft.Net\Framework*\IEExec.exe

                     <Windows>\winsxs\*\IEExec.exe

Process:  Any Process

User or Group:  Any User

References

Original blog post describing technique – Application Whitelist Bypass Using IEExec.exe

http://www.room362.com/blog/2014/01/16/application-whitelist-bypass-using-ieexec-dot-exe/

MS Information on Caspol:

http://msdn.microsoft.com/en-us/library/vstudio/cb6t8dtz(v=vs.100).aspx

MS Information on IEExec:

http://support.microsoft.com/kb/822485

Security Changes in the .Net Framework 4

http://msdn.microsoft.com/en-us/library/dd233103(v=VS.100).aspx

Obsolete Members in the .NET Framework 4

http://msdn.microsoft.com/en-us/library/vstudio/ee471421(v=vs.100).aspx

Labels (1)
Was this article helpful? Yes No
0% helpful (0/1)
Article Information
Author:
Creation Date:
‎08-06-2015
Views:
942
Contributors