Hello Team
I have a query on the IEM process executables checks.
If an IEM entity (Relay or Endpoint) were penetrated and the IEM Processes that read and write files were replaced by a Trojan, Virus or Malware executable with the same name as the IEM Process executable.
-
Does Windows allow this ?
a. I believe Windows will allow the executable to run.
-
Does IEM play a role in preventing a fake IEM Process executable from running ?
a. Does IEM impose the Fingerprinting (checksum) on IEM executable components ?
Can some one pls shed some light on the above query pls. Kindly help me understand the IEM process run.
Thanks
Vishnu
@Vishnu18Rao,
The BigFix software objects (i.e. BESClient, BESRelay, etc.) and instance content and actions are all signed by the root BES server and validated by the BESRelay/BESClient before distribution and/or execution. So a Trojan BESClient would be extremely unlikely as the encryption/signing process would fail validation.
I hope this helps.
Best,
@cmcannady
@cmcannady’s answer applies to content distributed through BigFix but if your question is in regards to a lone system and what an administrator/hacker/attacker could do to it…
User Permissions are the only thing preventing the replacing of executables on the system like powershell.exe, cmd.exe, besclient.exe, besrelay.exe, etc.
If you’re an administrator on a system you can replace almost any executable with literally anything (rename a text document to besclient.exe and swap it).
Windows does not enforce certificate checks for software and so there is no automatic mechanism to prevent this.
There are first and third-party solutions like Application Whitelisting or Device Guard which can help enforce signature/hash checks on executables if this was desirable to you.
1 Like