cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Buijspa
Level 7
Report Inappropriate Content
Message 1 of 6

Processes launched without parameters

Jump to solution

Hi,

I would like to detect processes without command-line arguments specified.

For example, rundll32.exe, msiexec.exe or regsvr32.exe launched without parameters.

How could I obtain this?

Thanks,

Buijspa

1 Solution

Accepted Solutions

Re: Processes launched without parameters

Jump to solution

Just turn on JTI rule 516. It uses the parent reputation, or certain parents that might be somehow abused, thus reducing false positives.  You might want to create Expert Rules limiting svchost.exe to only being executed by itself or services.exe, as that is an abuse target with cmd line parameters.  

View solution in original post

5 Replies
Saif_f
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: Processes launched without parameters

Jump to solution

Hi @Buijspa 

Thank you for posting in community forum. Is your requirement to block process like msiexec.exe? If yes, then this can be achieved using Access protection rule. Please find the steps below to create a test rule.

  • Log on to EPO --> Go to Policy Catalog
  • Open the policy for EndPoint security Threat Prevention-->Access Protection-->choose the policy that you want to apply and click on "edit"
  • Click on "Add" under ‘Rules’ section.
  • Add a new policy name.
  • Select the action "block" and "report".
  • Click on "Add" under "Executables".
  • Enter any name, under "Name:" field.
  • Enter "*" under File name or path field.
  • Click on save.
  • Scroll down to "subrules" section.
  • Click on "Add"
  • Enter any name "Name:" field.
  • Sub rule type : File.
  • Select the operation as ‘execute’
  • Click on "Add" under targets.
  • Under "File, folder name, or file path" section enter the process name or complete location of that executable file.
  • Click on save.

Test the rule on a test machine to check if it works as expected.

Kind Regards,

 

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and give a Kudo, together we can help other members.

Re: Processes launched without parameters

Jump to solution

This won't work as it would catch all executions, regardless of the command line.  You'd need to do it in an Expert Rule if you wanted to manually create one.

Dave

Re: Processes launched without parameters

Jump to solution

Just turn on JTI rule 516. It uses the parent reputation, or certain parents that might be somehow abused, thus reducing false positives.  You might want to create Expert Rules limiting svchost.exe to only being executed by itself or services.exe, as that is an abuse target with cmd line parameters.  

View solution in original post

Buijspa
Level 7
Report Inappropriate Content
Message 5 of 6

Re: Processes launched without parameters

Jump to solution

Hi Dave,

 

I've turned the JTI rule 516 and I'll keep you posted about the results.

Once again, thanks for your support, really appreciated!

Kind regards,

Buijspa

Re: Processes launched without parameters

Jump to solution

Was just working on something and realized I goofed.  Try turning on 517, which is what I should have said.. 🙂  If 516 isn't causing an issue, I'd say keep it on as well.  

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community