Jump to content

gaquino@sikich.com

Members
  • Content Count

    36
  • Joined

  • Last visited

About gaquino@sikich.com

  • Rank
    Candidate

Recent Profile Visitors

859 profile views
  1. Apparently there are more directories affected. Whenever a users accesses the application to create a form and saves the form to their home directory, it triggers the AntiCryptor task- Task name: Anti-Cryptor Computer: Administration Server <XXXXXXXXXX> Group: Servers Time: Friday, May 13, 2016 11:08:36 AM Virtual Server name: Description: Object detected: HEUR:Generic.Unknown.Cryptor. Object name: E:\users\mbd\2015 Tax Info\1 trial.pdf This pdf is not password protected, but created on the network drive by the application on the user's PC. So what to do?? The program runs on the user's PC so it can't be excluded from AntiCryptor activity correct? Is it possible to have wildcards in the AntiCryptor exclusions? Like E:\users\*\2015 Tax Info\* ?? Otherwise this feature will have to be disabled OR alternatively, have everyone put their created pdfs in a specific folder that can be excluded. The AntiCryptor seems like a good idea , but too many applications cause actions that Kaspersky detects as too similar to Encryption (like creating a pdf from Lacerte Tax program or saving drawings from Solidworks). it is proving to be too sensitive and problematic to implement.
  2. WSEE 10 (10.0.0.486) installed on Server 2012 R2 file server Object detected: HEUR:Generic.Unknown.Cryptor. Object name: E:\public\LACERTE\15tax\OPTION15\DiagInfo_Temp.xml Object detected: HEUR:Generic.Unknown.Cryptor. Object name: E:\main-pub\WinCSI\CABINET\updates\data\lastchk.dat These directories and files are data from tax and accounting software. These are the directories that have already been excluded from the AntiCryptor actions - E:\Public E:\main-pub\WinCSI added these as detection still triggered by the same files E:\Public\* E:\main-pub\WinCSI\* None of these paths have the check box checked and it's not possible to check them (doesn't work when clicking on them - see attached anticryptor-options.gif) The action to create exclusions adds the above directories into the box on the General options of AntiCryptor directly under the radio button for "Only specified shared folders" with empty check boxes next to each directory. The allow for excluded protection scope is checked and heuristics is enabled and set to 'light'. it is not obvious that these directories are excluded from looking at the policy options - is this correct? If do, why are these files still being flagged as malicious objects? All management done via KSC not local MMC
  3. Coworkers of mine report that removing KB3133977 fixes this issue. I haven't confirmed, but it's a place to start.
  4. I though I was, but redownloaded and applied and license accepted. Updating now.
  5. Trying to add a current valid key returns an error - "Only a license for beta testing can be installed on the beta version of the application"
  6. Running the Setup.exes from each folder (\server and \client) rather than from the popup menu (.hta) returned no errors and both the application and the local console installed. KAV application however fails to start. No license key??
  7. Sorry - posting again as I neglected t0 create a new topic-- Not much luck installing this version 'on top' of 10.0.0.207 --MSFT Server 2008R2 First error running the install for "Kaspersky Security" from the menu was- "A network error occurred while attempting to read from the file: C:\kav\fsee\english\server\kavws.msi" That's because the file doesn't exist - there exists kavws_64.msi and kavws_86.msi but no kavws.msi. Since I had a x64 server I made another copy of kavws_x64.msi and renamed it kavws.msi. Installation proceeded past this first error. Reran installer (server already had 10.0.0.207 running) and got past that first error but now get an error "Kaspersky Security(KAVFS) failed to start. Verify that you have sufficient privledges to start system services". This is a test server on a test domain (not production) and I am logged in as the Domain Administrator". Manually starting this service returns the error - The Kaspersky Security service started and stopped............" I am going to try to remove old version, restart and do a clean install.
  8. here is the link to the files http://expirebox.com/download/772889883271...4395a1c791.html Chrome is working without issue now. In the actual release will we be able to see the Allowed entries in the logs - or maybe a hyperlink from the Statistics display. i don't find a way to view specifically what was allowed. Thank You -Gerry
  9. The updated file you sent me did, in fact work. I can launch Chrome now without showing it blocked in the statistics and log. Allowed applications increase, though not visible in the logs. I will sent you the requested logs and traces soon.(but not today!)
  10. Here you go! http://expirebox.com/download/1915bade7e8b...dba728f284.html
  11. Link to download the - Chrome exe exported rules xml traces debug logs http://expirebox.com/download/fdd3533a180f...8115d635c4.html file name = WSEE10.rar
  12. A couple of things- -When displaying the "Rules of Application Control" the table doesn't sort on the column heading. Would be helpful to search for rules. -When you add a rule, I don't see an option for saving. if you exit the rules menu, you are prompted with "Settings have been modified. Do you want to save them?", but where is the option or button to save them? -What does the "Test rules" do? Lastly - no matter what I do, Chrome is always blocked-- Blocked Event ================================== Importance level: Important Event time: 10/9/2015 8:17:39 AM User name: GWA\Administrator Computer name: GWA-DC1 Description: Test mode: application run blocked by rules. Object name: C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\CHROME.EXE File SHA256 hash: FAE91430BFF132A30AD05E9A4E388643C48EF79245353DC514D3A3CA51FA5CF7 Digital certificate: O=GOOGLE INC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US Thumb: FCAC7E666CC54341CA213BECF2EB463F2B62ADB0 Controlled by rules: GOOGLE UPDATE signed by O=GOOGLE INC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US;GOOGLE CHROME signed by O=GOOGLE INC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US;GOOGLE CHROME signed by O=GOOGLE INC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US;GWA-DC1:chrome.exe;Chrome - file path allow ========================================================================== Another Block Event Importance level: Important Event time: 10/9/2015 7:51:26 AM User name: GWA\Administrator Computer name: GWA-DC1 Description: Test mode: application run blocked by rules. Object name: C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\CHROME.EXE File SHA256 hash: FAE91430BFF132A30AD05E9A4E388643C48EF79245353DC514D3A3CA51FA5CF7 Digital certificate: O=GOOGLE INC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US Thumb: FCAC7E666CC54341CA213BECF2EB463F2B62ADB0 Controlled by rules: GOOGLE UPDATE signed by O=GOOGLE INC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US;GOOGLE CHROME signed by O=GOOGLE INC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US;GOOGLE CHROME signed by O=GOOGLE INC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US;GWA-DC1:chrome.exe ================================================================================ ====================== Rules with Chrome in them <CertificateRule Name="GOOGLE CHROME signed by O=GOOGLE INC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US" Description="" Origin="Auto" Target="Binary" UserOrGroupSid="S-1-1-0" Action="Allow"> <CertificateRuleCondition UseSubject="true" Subject="O=GOOGLE INC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US" UseThumbprint="true" Thumbprint="0xFCAC7E666CC54341CA213BECF2EB463F2B62ADB0" /> </CertificateRule> <HashRule Name="GWA-DC1:chrome.exe" Description="" Origin="Auto" Target="Binary" UserOrGroupSid="S-1-1-0" Action="Allow"> <HashRuleCondition Type="SHA256" Hash="0xFAE91430BFF132A30AD05E9A4E388643C48EF79245353DC514D3A3CA51FA5CF7" /> </HashRule> <PathRule Name="Chrome - file path allow" Description="" Origin="User" Target="Binary" UserOrGroupSid="S-1-1-0" Action="Allow"> <PathRuleCondition Path="C:\Program Files (x86)\Google\Chrome\Application" /> </PathRule> It seems that when launching Chrome, both chrome and Google Update rules are invoked, but I haven't been able to get Chrome to launch or just add another tab to a running chrome instance without trigger a block event. I've generated rules from this event, but it remains blocked. FYI, this is Chrome installed in Program Files(x86) NOT Chrome installed in the User's profile.
×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.