Question How to set PS script to TRUSTED but only let it access ETC_Hosts file in system32?

Please provide comments and solutions that are helpful to the author of this topic.
S

Studynxx

Level 4
Thread author
Jan 20, 2023
279
As the title says. It updates the hosts file from a website I need, but I don't want it to be able to access anything else, to be on the safe side.



Can I do this? I've tried Low Restricted (by default everything is High Restricted unless KSN says otherwise), but Low Restricted isn't enough to let it access Hosts because it's a file in sys32



Thanks
 
Bot

Bot

AI-powered Bot
Apr 21, 2016
4,789
Yes, you can do this by creating a rule in Kaspersky's Firewall settings. Specify the application and the website it can access. However, restricting access to only one website might be tricky as the application might need to access other resources to function properly. Be sure to test thoroughly after setting the rule.
 
S

Studynxx

Level 4
Thread author
Jan 20, 2023
279
Bot said:
Yes, you can do this by creating a rule in Kaspersky's Firewall settings. Specify the application and the website it can access. However, restricting access to only one website might be tricky as the application might need to access other resources to function properly. Be sure to test thoroughly after setting the rule.
Click to expand...
I'm not talking about the website. I'm talking about setting the powershell script to TRUSTED but only letting it access, read and write to the Hosts file in Windows_System32_Drivers_etc_hosts . Can this be done? It musn't access anything else on the entire PC.
 
Bot

Bot

AI-powered Bot
Apr 21, 2016
4,789
Studynxx said:
I'm not talking about the website. I'm talking about setting the powershell script to TRUSTED but only letting it access, read and write to the Hosts file in Windows_System32_Drivers_etc_hosts . Can this be done?
Click to expand...
I apologize for the confusion. Kaspersky doesn't have a feature to restrict a script to only access specific files. It can only restrict scripts or applications from accessing certain categories of data. However, you can use Windows' built-in security settings to set specific permissions for the script to access the ETC_Hosts file.
 
S

Studynxx

Level 4
Thread author
Jan 20, 2023
279
Bot said:
I apologize for the confusion. Kaspersky doesn't have a feature to restrict a script to only access specific files. It can only restrict scripts or applications from accessing certain categories of data. However, you can use Windows' built-in security settings to set specific permissions for the script to access the ETC_Hosts file.
Click to expand...
How do i do that?
 
Bot

Bot

AI-powered Bot
Apr 21, 2016
4,789
Studynxx said:
How do i do that?
Click to expand...
To set specific permissions in Windows:

1. Right-click the ETC_Hosts file and select 'Properties'.
2. Go to the 'Security' tab.
3. Click 'Edit' to change permissions.
4. Click 'Add' and enter the name of your script.
5. Check the permissions you want to grant (Read, Write, etc.).
6. Click 'Apply' and then 'OK'.

Remember, this doesn't prevent the script from accessing other files. It just allows it to access the ETC_Hosts file.
 
S

Studynxx

Level 4
Thread author
Jan 20, 2023
279
Bot said:
To set specific permissions in Windows:

1. Right-click the ETC_Hosts file and select 'Properties'.
2. Go to the 'Security' tab.
3. Click 'Edit' to change permissions.
4. Click 'Add' and enter the name of your script.
5. Check the permissions you want to grant (Read, Write, etc.).
6. Click 'Apply' and then 'OK'.

Remember, this doesn't prevent the script from accessing other files. It just allows it to access the ETC_Hosts file.
Click to expand...
I want the prevent the SCRIPT from accessing other files.
 
Bot

Bot

AI-powered Bot
Apr 21, 2016
4,789
Studynxx said:
I want the prevent the SCRIPT from accessing other files.
Click to expand...
I'm sorry for any misunderstanding, but currently, there's no built-in Windows feature or Kaspersky option to restrict a specific script to only access a specific file while blocking access to all others. You might need a custom solution or third-party software for such specific restrictions. Please consult with a cybersecurity expert or a professional IT service for further advice.
 
harlan4096

harlan4096

Super Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
9,039
You can try to "play" about Your question, going to Intrusion Prevention, opening Rules for that script, like in this example with FireFox:

1740912216972.png
 
  • Like
Reactions: silversurfer, SeriousHoax, Berny and 1 other person
harlan4096

harlan4096

Super Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
9,039
Exactly, BUT... (there is always a BUT) still only allowing Read and Write for that script to Windows host file, could not be enough if You want it to be executed 🤔 I mean, being in UnTrusted, that script probably won't be executed hehe...
 
  • Like
  • Hundred Points
Reactions: Berny, SeriousHoax and silversurfer
SeriousHoax

SeriousHoax

Level 50
Verified
Top Poster
Well-known
Mar 16, 2019
3,935
harlan4096 said:
Exactly, BUT... (there is always a BUT) still only allowing Read and Write for that script to Windows host file, could not be enough if You want it to be executed 🤔 I mean, being in UnTrusted, that script probably won't be executed hehe...
Click to expand...
I see. I was assuming that if once I change one setting it would automatically change from untrusted to Custom or something like that. I forgot as I haven't used it in a while.
 
  • Like
Reactions: harlan4096
harlan4096

harlan4096

Super Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
9,039
Well, yes... a different color (light blue is assigned) in Intrusion Prevention -> Manage Applications, still, if You only modify that rule/right, maybe that script won't be executed 🤔
 
  • Like
Reactions: Berny and SeriousHoax
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,817
Studynxx said:
I'm not talking about the website. I'm talking about setting the powershell script to TRUSTED but only letting it access, read and write to the Hosts file in Windows_System32_Drivers_etc_hosts . Can this be done? It musn't access anything else on the entire PC.
Click to expand...

If you prevent changing the PowerShell script content it will access only Windows_System32_Drivers_etc_hosts.
I am not sure if you asked the right question. Do you want to:
  • restrict a concrete PowerShell script (PS1 file) to access the Hosts file, but allow others to do anything,
  • restrict all PowerShell script files from accessing the Hosts file, except one particular PS1 script,
  • restrict powershell.exe to use only a specific CmdLine to access the Hosts file, but allow powershell.exe to do anything in other locations,
  • block powershell.exe except using only a specific CmdLine to access the Hosts file,
 
Last edited:
  • +Reputation
Reactions: simmerskool
bazang

bazang

Level 12
Jul 3, 2024
551
Studynxx said:
As the title says. It updates the hosts file from a website I need, but I don't want it to be able to access anything else, to be on the safe side.



Can I do this? I've tried Low Restricted (by default everything is High Restricted unless KSN says otherwise), but Low Restricted isn't enough to let it access Hosts because it's a file in sys32



Thanks
Click to expand...
As @Andy Ful points out, if you make the script itself static - which it should be in the first place - then the script itself, when executed by PowerShell, will only modify the hosts file.

It is not the script itself that has access, it is the interpreter - PowerShell that accesses, modifies, and executes. If PowerShell can execute scripts then it has full access to most parts of the system.

There is no safe way to use PowerShell if you intend not to disable it after you are done using it. Constrained language mode will provide many security benefits, but overall, if your priority is hardened security, then you just don't allow PowerShell to execute on any system. If it is enabled on a system, particularly in a Windows administrator's account, and that system is breached, PowerShell is one of the most commonly abused "features" of Windows. It is used as a download cradle, to modify many parts of a system, and to pivot from system to system across a network. It can even encrypt files just like ransomware (PowerShell ransomware). Then it can be used as a reverse malicious agent on a system.

There are many aspects to PowerShell security. To cover them all here would take walls of text. Then it would take quite a bit of effort on your part to figure it all out and make it work securely for you. Unless you have the inclination to spend a month or so devoting time and effort to it, the best thing is not to use PowerShell in the first place.

The people at Microsoft Security said 10 or 15 years ago they didn't know what Microsoft was thinking when it developed and shipped PowerShell with Windows. The initial iterations of PowerShell (1.0 and 2.) were extremely insecure. Since then Microsoft has done what it can to make it more secure, but threat actors always find the gaps and holes that Microsoft's development teams leave within PowerShell that can be exploited.

Users HostMan instead:

www.abelhadigital.com

HostsMan · abelhadigital.com

HostsMan is a freeware application that let's you manage your hosts file with ease.
www.abelhadigital.com www.abelhadigital.com
 
  • Like
Reactions: simmerskool and Andy Ful
S

Studynxx

Level 4
Thread author
Jan 20, 2023
279
Andy Ful said:
If you prevent changing the PowerShell script content it will access only Windows_System32_Drivers_etc_hosts.
I am not sure if you asked the right question. Do you want to:
  • restrict a concrete PowerShell script (PS1 file) to access the Hosts file, but allow others to do anything,
  • restrict all PowerShell script files from accessing the Hosts file, except one particular PS1 script,
  • restrict powershell.exe to use only a specific CmdLine to access the Hosts file, but allow powershell.exe to do anything in other locations,
  • block powershell.exe except using only a specific CmdLine to access the Hosts file,
Click to expand...
 

Similar threads

silversurfer
    • Wow
    • +Reputation
    • Like
New Update Google Chrome to let Isolated Web App access sensitive USB devices
Replies
1
Views
435
Chrome & Chromium
Bot
Bot
RogueResearch
  • Locked
Random Cloaked virus spreader in memory without knowing (Python , impossible to remove )
Replies
7
Views
963
Windows Malware Removal Help & Support
nasdaq
nasdaq
oldschool
    • Wow
    • Like
Security News Anyone Can Buy Data Tracking US Soldiers and Spies to Nuclear Vaults and Brothels in Germany
Replies
1
Views
437
Security News
oldschool
oldschool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top