Add an additional program for remote access to the App Patrol list

Options
General99
General99 Posts: 4 image  Freshman Member
First Comment
in Security

Hello.

I've encountered misuse of the meshagent.exe (MeshCentral) program on my network.
Employees install the program without notification.
The problem is that this program can be renamed and access different addresses on its server side.
How can I block this program from running on the Zywall ATP 700?
This program isn't listed in APP Patrol. I've chosen to block all programs in the Thin Client category, but this doesn't work on meshagent.
I tried blocking the meshagent.exe client program through IPS, but that didn't work either. The program uses 443 in its work, and despite SSL inspection being enabled, blocking through IPS doesn't work.

Can Zyxel add this program to the APP Patrol list?

All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,344 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @General99

    To block the traffic, the current method is to set a security policy for the specific source IP, which is the MeshCentral server ip.

    In addition, you can add the MD5 of the meshagent exe or zip file to the anti-Malware block list, which should restrict your employees to download these files.

    Can Zyxel add this program to the APP Patrol list?

    Let me create the idea post for you and share your requirement to the product team.

    https://community.zyxel.com/en/discussion/31342/add-meshagent-meshcentral-to-the-app-patrol-list
    Zyxel Melen


  • General99
    General99 Posts: 4 image  Freshman Member
    First Comment

    The difficulty is that anyone can deploy a meshcentral server in a couple of minutes. It is freeware software. Download your own agent, meshagent.exe. And the connection server address can be anything.

    The md5 hash also changes. When you deploy your Meshcentral server, you can change the agent file name (mesagent.exe) to anything else in the server settings, and the hash will change accordingly.

    I tried disabling the meshagent.exe agent using signatures and IPS, but it didn't work. I think the IPS on my Zywall ATP 700 only works in the WAN-to-LAN direction, not in the LAN-to-WAN direction. I have an active subscription to the service.

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,344 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @General99

    I want to update you that we are evaluating the new applications for the application list, therefore, we will also evaluate to add the meshagent.exe (MeshCentral) to the list.

    Zyxel Melen


Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)