This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Swiftyyyy
Advisor
‎2022-10-13 06:47 AM

Working with .bat files

Hi,

I'm looking for a workflow suggestion.
We're managing an environment with Harmony Endpoint, however in that environment there's a strong need for tasks to be performed through batch files.
The issue is that Threat Emulation (very) often grabs these .bat files, despite them being written by a trusted administrator internally.

Now of course we could create an exclusion for the directory the admin writes the files in, but that only resolves the "creation" part, the issue is also quite often the distribution and successful execution after the fact.

We could suggest a move to Powershell scripts which can be signed by the organizations internal PKI, however would that be any guarantee that they wont trigger remediation on Threat Emulation regardless?

In interest of maintaing a secure environment the customer is willing to adjust their workflow, but I'd like to at least meet them half way and provide a workflow which will genuinely work.

We can add the signature into Forensics as an exclusion, but what good does that do if it's Threat Emulation that does the matching, unless a file being signed with the chain of trust valid also helps with TE.

Regards,

0 Kudos
3 Replies
G_W_Albrecht
Legend Legend
Legend
‎2022-10-13 07:28 AM

Should not be, see sk173414: How to execute PowerShell scripts on Harmony Endpoint client machines

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Swiftyyyy
Advisor
‎2022-10-13 11:18 PM
In response to G_W_Albrecht

Ah, sorry for the misunderstanding; I was referring to executing these scripts through a different deployment method, not via Push Operation.

Soo.. in summary, how can I ensure that our internal scripts are trusted by the Harmony Endpoint agent (and not immediately remediated) when ran through other deployment tools.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-10-14 01:46 AM
In response to Swiftyyyy

Open a SR# with TAC to learn that - i can only suggest to use sk173414 as this push operation has been created for a purpose 😎

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events