Jump to content
yghnetadmin

Application Startup Control [In progress]

Recommended Posts

I'm trying to setup whitelisting with Application Startup Control and it isn't working for me. I'm using KSC 10.2.434d and KES 10.2.4.674. I turned off Allow All and added a number of rules including files I scanned for on my PC. All of the rules I created include the groups Everyone, System, Authenticated Users.

 

I'm not having any applications blocked, just c:\windows\temp\*.tmp files and a lot of them. Here is an example:

 

Please allow access to the executable file of the application m_a3523.tmp that has been blocked according to an Application Startup Control rule.

 

Parameters of the executable file:

Original file name: <Not defined>

File path: c:\windows\temp\

Publisher: <Not defined>

Product name: <Not defined>

Version: <Not defined>

 

Executable file launch attempt information:

Computer name: PCName

User name: NT AUTHORITY\SYSTEM

Rule blocking the executable file: Default Deny

Launch attempt date and time: 4/8/2016 6:15:35 PM

Share this post


Link to post
I'm trying to setup whitelisting with Application Startup Control and it isn't working for me. I'm using KSC 10.2.434d and KES 10.2.4.674. I turned off Allow All and added a number of rules including files I scanned for on my PC. All of the rules I created include the groups Everyone, System, Authenticated Users.

 

I'm not having any applications blocked, just c:\windows\temp\*.tmp files and a lot of them. Here is an example:

 

Please allow access to the executable file of the application m_a3523.tmp that has been blocked according to an Application Startup Control rule.

 

Parameters of the executable file:

Original file name: <Not defined>

File path: c:\windows\temp\

Publisher: <Not defined>

Product name: <Not defined>

Version: <Not defined>

 

Executable file launch attempt information:

Computer name: PCName

User name: NT AUTHORITY\SYSTEM

Rule blocking the executable file: Default Deny

Launch attempt date and time: 4/8/2016 6:15:35 PM

 

One more thing. The notification email I receive as an admin says:

 

Product: Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 2 for Windows Operating system: Microsoft Windows 10 Enterprise (build 10586)

Computer: PCName

Domain: DomainName

 

Notifications:

Critical event: 4/8/2016 6:15:35 PM:

Event type: Application startup prohibited

Object\File path: c:\windows\temp\m_a3523.tmp

Object\KL category: Uncategorized

User: NT AUTHORITY\SYSTEM (Initiator)

Rule\Category: Default Deny

Rule\Rule type: Not test

 

Share this post


Link to post
One more thing. The notification email I receive as an admin says:

 

Product: Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 2 for Windows Operating system: Microsoft Windows 10 Enterprise (build 10586)

Computer: PCName

Domain: DomainName

 

Notifications:

Critical event: 4/8/2016 6:15:35 PM:

Event type: Application startup prohibited

Object\File path: c:\windows\temp\m_a3523.tmp

Object\KL category: Uncategorized

User: NT AUTHORITY\SYSTEM (Initiator)

Rule\Category: Default Deny

Rule\Rule type: Not test

One more thing I found is that if I edit the settings locally I can add a rule for uncategorized items and grant permission to System and deny to all others. This fixed the problem on my PC. I'm having trouble configuring a rule in my policy to mimic that.

Share this post


Link to post
One more thing I found is that if I edit the settings locally I can add a rule for uncategorized items and grant permission to System and deny to all others. This fixed the problem on my PC. I'm having trouble configuring a rule in my policy to mimic that.

 

 

Have you tried setting an exclusion in Application Privilege Control? It's under Application Rules -> Settings -> Protected Resources Tab -> Exclusions Button.

Share this post


Link to post
Hi,

 

How did you implement a default deny in steps?

 

BR

I created a category scanning the set of computers I'm testing on. I also ran the Inventory task on them. Then I went to the policy and enabled my new application startup control rule along with the Golden Image and Trusted Updaters. Then I turned off the Allow All rule.

 

I created several more rules trying to fix the problem, but it didn't help. I created a category with condition Path To Folder = c:\Windows\Temp\ and applied it in a rule allowing NT Authority\System but deny all others. That didn't help either.

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.