Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
124
Views
1
Helpful
4
Replies

need to block exe file

Go to solution
Vishal6
Level 1
Level 1

‎04-17-2024 09:38 AM

Hi All,

Need to block below exe file path on server. Can anyone help me how can i do this in Cisco secure endpoint console.

c:\program files\uvnc bvba\UltraVNC\winvnc.exe

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Roman Valenta
Cisco Employee
Cisco Employee
In response to Vishal6

‎04-18-2024 08:28 AM

Not sure If I follow. If you want to block that particular file winvnc.exe you will need to either grab that file and upload to Blocked Application or determine/calculate the SH256 of that file and add that hash instead once you add that apply the Block Application list to the policy for that server to block running that EXE again.

Or do what Marvin suggested with Simple Custom Detection, you will also need to apply that to your policy for that server, then run full or partial scan which will remove the file all together upon detection.

 

Both solution works based on SHA256. However you need to remember that if the SHA256 will change lets say with new version you will need to adjust that policy again .

 

Unfortunately UltraVNC is not consider to be threat its just free software that can display screen of another computer (via the internet or network) on your own screen. In your case its unwanted software but for others they might use it in their environment. Also using valid certificates for the installer makes harder to deemed the file malicious. The latest UltraVNC looks like this. 

 

856_572_1.png

 

853_547_1(1).png

View solution in original post

4 Replies 4

Go to solution
Roman Valenta
Cisco Employee
Cisco Employee

‎04-17-2024 12:23 PM - edited ‎04-17-2024 12:24 PM

You can also create your own list under Outbreak Control ---> Application Control - Blocked Applications then apply that list to your policy. This will only work on *.EXE files and it will block that application from running.

0 Helpful

Go to solution
Vishal6
Level 1
Level 1
In response to Roman Valenta

‎04-17-2024 11:14 PM

Hi Roman,

Using upload file search only for that machine, but i want to block exe file that resides in server

0 Helpful

Go to solution
Roman Valenta
Cisco Employee
Cisco Employee
In response to Vishal6

‎04-18-2024 08:28 AM

Not sure If I follow. If you want to block that particular file winvnc.exe you will need to either grab that file and upload to Blocked Application or determine/calculate the SH256 of that file and add that hash instead once you add that apply the Block Application list to the policy for that server to block running that EXE again.

Or do what Marvin suggested with Simple Custom Detection, you will also need to apply that to your policy for that server, then run full or partial scan which will remove the file all together upon detection.

 

Both solution works based on SHA256. However you need to remember that if the SHA256 will change lets say with new version you will need to adjust that policy again .

 

Unfortunately UltraVNC is not consider to be threat its just free software that can display screen of another computer (via the internet or network) on your own screen. In your case its unwanted software but for others they might use it in their environment. Also using valid certificates for the installer makes harder to deemed the file malicious. The latest UltraVNC looks like this. 

 

856_572_1.png

 

853_547_1(1).png

Customers Also Viewed These Support Documents