My co-worker asked me to block an application that another office here has been using to prevent the screen saver from coming on. It is called Caffeine and the executable is caffeine.exe. The problem is that you can place it anywhere on the computer and even change its name and the block no longer works. I wanted to know if there was a better way to stop people from using that with HIPS or some other program in HBSS?
Thanks in advance.
I'm not sure which version rbmimi is running, but this KB might have a bit more detail.
KB71329 - How to blacklist applications using a Host Intrusion Prevention 8.0 custom signature
If you have VSE installed, just add the executable to the "Unwanted Programs" list........anyone who pops for it, report it up to the CIO and get them a reprimand for intentionally bypassing security.
Ask the CIO for approval and actually demonstrate how easy it is to exfiltrate data off those workstations....a few days of unpaid leave for some employees would send the right message.