Protecting against code injection
Code can be injected into an application to make it run code from another application. SES Evolution makes it possible to protect your applications against the injection of malicious code.
EXAMPLE
There are two possible approaches, illustrated as follows:
There are two possible approaches, illustrated as follows:
- Use case 1: No applications are allowed to inject code, except clearly identified legitimate applications (e.g., antivirus, Windows error reporting, etc.). This is the most commonly used approach.
- Use case 2: No applications are allowed to inject code in the password manager.
Requirements
An application identifier must be created beforehand for every application to be protected and for every application allowed to inject legitimate code. For more information, refer to the section Creating application identifiers.
Creating a rule to protect against code injection
- Select the Security > Policies menu and click on your policy.
- Select a rule set.
- Click on the Application > Code injection tab.
- If you are in read-only mode, click on Edit in the upper banner.
- Click on Add a rule (Code injection).
A new row appears. - Click on in the application ID area and select the application(s) affected by the default behavior.
For use case 1, do not add any applications since you will be protecting all of them.
For use case 2, add the password manager. - In the Access field in the Default behavior area, choose what you want the protection rule to do:
- Allow to allow the action by default,
- Block to block the action by default,
- Block and kill to block the action by default, and shut down the process that launched the action.
- Block, kill and quarantine to block the action by default, kill the process that triggered the action, and quarantine suspicious files. For more information, see the section Managing file quarantine.
- Click on + Add a specific behavior and choose the application(s) that you want to exclude from the default behavior.
For use case 1, add the applications that inject legitimate code (e.g., antivirus, Windows error reporting, etc.) and in Access, choose Allow.
For use case 2, do not add any applications since the password manager will be fully protected.
- In the upper banner in the rule, you can:
- Make the rule passive. Passive rules behave like standard rules but do not actually block any actions. The agent only generates logs that indicate which actions security rules would have blocked.
Use this mode to test new restriction rules, find out their impact, and make the necessary adjustments before disabling Passive rule mode. For further information on testing rules and policies, refer to Testing security policies. - Indicate whether the rule must generate a context when it is applied. By default, if a rule generates Emergency or Alert logs, it will generate a context, but you can disable this feature. In case of mass generation of similar logs, the context is not generated. For more information on mass log generation, refer to the section Monitoring SES Evolution agent activity.
- Select the log settings that this rule will send.
- Specify whether an action must be performed when a log is sent for this rule. You can choose to display a notification on the agent and/or run a script.
- Enter a description to explain what this rule aims to achieve.
- Make the rule passive. Passive rules behave like standard rules but do not actually block any actions. The agent only generates logs that indicate which actions security rules would have blocked.
- The row number of each rule appears on its left. Rearrange the sequence of your rules if you need to, by clicking on the arrows above and below the row number.
- Click on Save at the top right of the window to save changes.