Jump to content
george.h

Adding Exceptions with KES 8.1.0.1042 [Solved]

Recommended Posts

I have a network with 14 enpoints on it running KES 8.1.0.1042. These are (now) a mixture of Win 7 Pro SP1 and XP Pro SP3 managed using KSC 9.3.75 running on a Windows 2003 Server box.

 

Basically the issue comes from that old bug bear of Kaspersky, the infuriating "Unprocessed Objects". You know, the yellow warning you get when Kaspersky misdetects a pefectly valid program as a potential threat which can only be cleared by visiting or remote controlling the client PC to clear - although it takes AGES after clearing it before KSC recognises the fact. Well, 99.9999% of the time on my network these are false detections from things like Brother Control Centre 3 (Brother's network scanner/printer/copier/fax control utility) and stuff like that.

 

So I thought I'd add it in as an exception to kill these damned annoying warnings. I use a security policy to lock down the user interface on the PCs themselves and thought I'd try adding the exceptions via the policy so that I can deploy and manage them centrally. However I just cannot get it to work. Has anyone been able to add exceptions using this method? If so, how do I get it to work? I'd much MUCH rather NOT have to start opening up the end users interface to allow them to do it - they will add all sorts of crap.

 

Any suggestions would be much appreciated......

 

George

Share this post


Link to post
I have a network with 14 enpoints on it running KES 8.1.0.1042. These are (now) a mixture of Win 7 Pro SP1 and XP Pro SP3 managed using KSC 9.3.75 running on a Windows 2003 Server box.

 

Basically the issue comes from that old bug bear of Kaspersky, the infuriating "Unprocessed Objects". You know, the yellow warning you get when Kaspersky misdetects a pefectly valid program as a potential threat which can only be cleared by visiting or remote controlling the client PC to clear - although it takes AGES after clearing it before KSC recognises the fact. Well, 99.9999% of the time on my network these are false detections from things like Brother Control Centre 3 (Brother's network scanner/printer/copier/fax control utility) and stuff like that.

 

So I thought I'd add it in as an exception to kill these damned annoying warnings. I use a security policy to lock down the user interface on the PCs themselves and thought I'd try adding the exceptions via the policy so that I can deploy and manage them centrally. However I just cannot get it to work. Has anyone been able to add exceptions using this method? If so, how do I get it to work? I'd much MUCH rather NOT have to start opening up the end users interface to allow them to do it - they will add all sorts of crap.

 

Any suggestions would be much appreciated......

 

George

Hello!

 

Could you please provide us with the export of your active policy?

 

Thank You!

 

Share this post


Link to post
Hello!

 

Could you please provide us with the export of your active policy?

 

Thank You!

 

How do I export the policy? All I can find is Export List which contains nothing but the name of the active policy.

 

Is there EVER going to be a proper solution to the Unprocessed Objects "feature"?

Edited by george.h

Share this post


Link to post
How do I export the policy? All I can find is Export List which contains nothing but the name of the active policy.

 

Is there EVER going to be a proper solution to the Unprocessed Objects "feature"?

Hello!

 

Right button mouse click on the policy => export.

 

Thank You!

Share this post


Link to post
Hello!

 

Right button mouse click on the policy => export.

 

Thank You!

 

:dash2: I should have put my glasses on! Thank you! I must be going (even more) blind...

 

Policy attached. This is the standard policy at the moment witout any exceptions - I removed them when I couldn't get them to work. I'll just do a modified one and upload that when done.

 

George

Active_Policy.zip

Edited by george.h

Share this post


Link to post
:dash2: I should have put my glasses on! Thank you! I must be going (even more) blind...

 

Policy attached. This is the standard policy at the moment witout any exceptions - I removed them when I couldn't get them to work. I'll just do a modified one and upload that when done.

 

George

 

Ok.... I've now done a modified policy to exclude an application called Brother Control Centre 3. This is part of the driver suite for a Brother MFC-9450CDN network fax/scanner/printer/copier. It is one of a number of applications that fall foul of the "PDM.DNS Query" detection. In other words every time a user launches Control Centre 3 (usually to scan a document) their machine logs an unprocessed object which I have to clear on the client PC, AND I get email warnings of the form:

 

Event Probably infected object detected happened on computer 95RKH1J in the domain COLOURHOLOGRAPH on 25 April 2014 2:39:55PM (GMT+00:00)

Result: Detected: PDM.DNS Query

Object: C:\PROGRAM FILES\BROTHER\CONTROLCENTER3\BRCCMCTL.EXE

 

As I've mentioned we have several applications that trigger this, none of which are infected. Not being able to stop these false detections is really annoying. Not being able to clear them from KSC9 is VERY annoying....

 

Modified active policy attached.

 

Regards

George

Active_Policy_with_exclusion.zip

Share this post


Link to post
Ok.... I've now done a modified policy to exclude an application called Brother Control Centre 3. This is part of the driver suite for a Brother MFC-9450CDN network fax/scanner/printer/copier. It is one of a number of applications that fall foul of the "PDM.DNS Query" detection. In other words every time a user launches Control Centre 3 (usually to scan a document) their machine logs an unprocessed object which I have to clear on the client PC, AND I get email warnings of the form:

 

Event Probably infected object detected happened on computer 95RKH1J in the domain COLOURHOLOGRAPH on 25 April 2014 2:39:55PM (GMT+00:00)

Result: Detected: PDM.DNS Query

Object: C:\PROGRAM FILES\BROTHER\CONTROLCENTER3\BRCCMCTL.EXE

 

As I've mentioned we have several applications that trigger this, none of which are infected. Not being able to stop these false detections is really annoying. Not being able to clear them from KSC9 is VERY annoying....

 

Modified active policy attached.

 

Regards

George

Hello!

Please kindly send the detected files to this email and we'll analyze them. In case these are false detections, we will remove them from our databases.

Thank you!

Share this post


Link to post
Hello!

Please kindly send the detected files to this email and we'll analyze them. In case these are false detections, we will remove them from our databases.

Thank you!

 

They are definitely false detections. All of them, if I remember correctly, due to "PDM.DNS Query". I've attached this particular example but it is by no means the only example, and it is DEFINITELY NOT A NEW VIRUS. So I think emailing it to "newvirus" is not the right way to go. I also think that sending each of them to you to be excluded from the databases is a bit of a long-winded way of preventing these false detections. From that should I infer that there is no way of adding exception to KES using a security policy in KSC9 to prevent such detections?

 

Please bear in mind that this is all to get around the annoying and frustrating "Unprocessed Objects" issue. I trust you have noticed that in the security policy I have turned off notification to KSC for this - but I still get them.....

BrccMCtl.zip

Share this post


Link to post
They are definitely false detections. All of them, if I remember correctly, due to "PDM.DNS Query". I've attached this particular example but it is by no means the only example, and it is DEFINITELY NOT A NEW VIRUS. So I think emailing it to "newvirus" is not the right way to go. I also think that sending each of them to you to be excluded from the databases is a bit of a long-winded way of preventing these false detections. From that should I infer that there is no way of adding exception to KES using a security policy in KSC9 to prevent such detections?

 

Please bear in mind that this is all to get around the annoying and frustrating "Unprocessed Objects" issue. I trust you have noticed that in the security policy I have turned off notification to KSC for this - but I still get them.....

Hello!

May I please kindly ask you to try adding these files to Trusted Zone?

I see no exclusion set up in you latest policy attached.

Thank you!

Share this post


Link to post
Hello!

May I please kindly ask you to try adding these files to Trusted Zone?

I see no exclusion set up in you latest policy attached.

Thank you!

 

That is exactly how I have been doing it. Just to be sure I've just went back into the active policy and checked and it had gone. So I de-activated the policy, went back in, added the file again into the trusted zone (with everything except Allow Interaction with User Interface ticked - see screen shot), closed, applied it, then re-activated.

 

Waited until it had been deployed to the 10 local machines, went back into the policy (without de-activating) and it had gone again - screen shots attached.

 

 

Just found it - I hadn't unticked "Inherit settings from Parent Policy" which was removing it again. I'll have to do some testing to verify that it is actually doing it and no-longer flags the app as "Unprocessed".

post-376085-1398777288_thumb.jpg

post-376085-1398777294_thumb.jpg

post-376085-1398777301_thumb.jpg

post-376085-1398777675_thumb.jpg

Edited by george.h

Share this post


Link to post
Just found it - I hadn't unticked "Inherit settings from Parent Policy" which was removing it again. I'll have to do some testing to verify that it is actually doing it and no-longer flags the app as "Unprocessed".

 

Great! Glad the issue was resolved.

Share this post


Link to post
Great! Glad the issue was resolved.

 

I wouldn't quite say that yet.... I just did a test scan using the software that gets flagged as possibly infected and thus "unprocessed" and it still happened. However, I double checked it's entry in the Trusted section of the policy and I'd mis-typed it. So just re-testing....

Share this post


Link to post
That is exactly how I have been doing it. Just to be sure I've just went back into the active policy and checked and it had gone. So I de-activated the policy, went back in, added the file again into the trusted zone (with everything except Allow Interaction with User Interface ticked - see screen shot), closed, applied it, then re-activated.

 

Waited until it had been deployed to the 10 local machines, went back into the policy (without de-activating) and it had gone again - screen shots attached.

Just found it - I hadn't unticked "Inherit settings from Parent Policy" which was removing it again. I'll have to do some testing to verify that it is actually doing it and no-longer flags the app as "Unprocessed".

Thanks for the info!

Please report back if the issue persists.

Share this post


Link to post
Thanks for the info!

Please report back if the issue persists.

 

Confirmed - all working now.... Much appreciated.

 

George

Share this post


Link to post
Confirmed - all working now.... Much appreciated.

 

George

 

Hi,

 

Thank You for the information provided!

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.