Jump to content
peterecju

KES 10 SP2 - Application Startup Control [2187281]

Recommended Posts

Dear Sirs,

 

I would like to configure Application Startup Control in policy for KES 10 SP2. The white list option.

Unfortunately, in the list of Category: I don't see all items created in Application categories.

If I make new Application category with new name I can see it, but already created not, or some of them yes, some not.

What is very interesting, in policy for KES 10 SP1 I can see all items.

 

Maybe it's some bug after KSC upgrade to the latest MR1.

 

What should I do?

Edited by Julius Peterec

Share this post


Link to post
Share on other sites
Dear Sirs,

 

I would like to configure Application Startup Control in policy for KES 10 SP2. The white list option.

Unfortunately, in the list of Category: I don't see all items created in Application categories.

If I make new Application category with new name I can see it, but already created not, or some of them yes, some not.

What is very interesting, in policy for KES 10 SP1 I can see all items.

 

Maybe it's some bug after KSC upgrade to the latest MR1.

 

What should I do?

 

Hello,

 

is it possible to record video of the following scenario ?

1. you create category

2. you open "application startup control"

3. the category is absent in "application startup control".

Thank you.

 

Share this post


Link to post
Share on other sites
Hello,

 

is it possible to record video of the following scenario ?

1. you create category

2. you open "application startup control"

3. the category is absent in "application startup control".

Thank you.

 

Hello,

 

Video is not neccessary. Attached pictures are self explanatory.

1. List of Application categories I have defined on KSC server. Trusted Browsers e.g. is the problematic one.

2. KES 10 SP2 policy, where is the list of already added categories and list I can only choose from. Trusted Browsers is missing.

3. KES 10 SP1 MR2 policy, where is the list of already added categories and list I can only choose from. Trusted Browsers is there.

post-534654-1491999154.png

post-534654-1491999166.png

post-534654-1491999171.png

Share this post


Link to post
Share on other sites
Hello,

 

Video is not neccessary. Attached pictures are self explanatory.

1. List of Application categories I have defined on KSC server. Trusted Browsers e.g. is the problematic one.

2. KES 10 SP2 policy, where is the list of already added categories and list I can only choose from. Trusted Browsers is missing.

3. KES 10 SP1 MR2 policy, where is the list of already added categories and list I can only choose from. Trusted Browsers is there.

 

Please open properties of the category "Trusted Browsers" and make a screen shot.

Thank you.

Share this post


Link to post
Share on other sites
Please open properties of the category "Trusted Browsers" and make a screen shot.

Thank you.

 

Here are the requested screenshots from Trusted Browser category.

post-534654-1492494840.png

post-534654-1492494844.png

post-534654-1492494848.png

Share this post


Link to post
Share on other sites
Here are the requested screenshots from Trusted Browser category.

 

Hi!

 

Could you please tell, do you have the backups of the old versions of KSC?

 

Thanks!

Share this post


Link to post
Share on other sites

Hi,

 

Thank you for that info!

 

Could you please clarify is this behavior occurs randomly?

Is there any scpecial script to reproduce the issue?

Is it related to Trusted browsers only or other categoreis are affected too?

 

Thank you!

Share this post


Link to post
Share on other sites
Hi,

 

Thank you for that info!

 

Could you please clarify is this behavior occurs randomly?

Is there any scpecial script to reproduce the issue?

Is it related to Trusted browsers only or other categoreis are affected too?

 

Thank you!

 

Hi,

 

This behaviour is related only to policy for KES 10 SP2 and I have problem with two categories only.

I'm not able to identify any relation or similarity, why it happens.

Share this post


Link to post
Share on other sites

Thank you for that info!

 

Please collect admin server and console traces while you are creatting one of this categories and rtying to use.

 

Please use any file sharing resource to upload traces.

 

Thank you!

Share this post


Link to post
Share on other sites
Thank you for that info!

 

Please collect admin server and console traces while you are creatting one of this categories and rtying to use.

 

Please use any file sharing resource to upload traces.

 

Thank you!

 

I hove some progress in this issue.

I made new category Browsers and add Google Chrome with SHA-256 hash. Then I was able use it in Application Startup Control policy.

Also I was able to add additional records with MD5 hashes.

When I made new category and the first recrd was MD5 I was not able to use it in policy.

 

Admin server traces are here: https://mondi.box.com/s/ku0qeq426zs06hfbc7vqmxzgeh5iuij0

Share this post


Link to post
Share on other sites
I hove some progress in this issue.

I made new category Browsers and add Google Chrome with SHA-256 hash. Then I was able use it in Application Startup Control policy.

Also I was able to add additional records with MD5 hashes.

When I made new category and the first recrd was MD5 I was not able to use it in policy.

 

Admin server traces are here: https://mondi.box.com/s/ku0qeq426zs06hfbc7vqmxzgeh5iuij0

 

Problem continues. even I'm able to make new category and use it in policy now, endpoint Security client doesn't obey the rules.

I have defined whitelist rule and e.g. SHA256 hash for chrome.exe is in Conditions.

Nevertheless Chrome browser is blocked.

 

Something is wrong with Application Startup control and new version of KES 10.

Share this post


Link to post
Share on other sites
Problem continues. even I'm able to make new category and use it in policy now, endpoint Security client doesn't obey the rules.

I have defined whitelist rule and e.g. SHA256 hash for chrome.exe is in Conditions.

Nevertheless Chrome browser is blocked.

 

Something is wrong with Application Startup control and new version of KES 10.

 

Hello.

 

Please specify if the policy you are using was initially converted from an earlier version or created from scratch (Application Startup Control rules are set up from scratch in both cases).

What information is present in the blocking rule? Does it match the executable you added to the white list?

 

Thank you.

Share this post


Link to post
Share on other sites
Hello.

 

Please specify if the policy you are using was initially converted from an earlier version or created from scratch (Application Startup Control rules are set up from scratch in both cases).

What information is present in the blocking rule? Does it match the executable you added to the white list?

 

Thank you.

Policy was converted from previous version.

Share this post


Link to post
Share on other sites
Policy was converted from previous version.

 

Please check if you get the same behavior if you create a new policy. This issue may be restricted to converted policies.

 

Thank you.

Share this post


Link to post
Share on other sites
Please check if you get the same behavior if you create a new policy. This issue may be restricted to converted policies.

 

Thank you.

I have created new policy and Startup Control works as expected.

Looks it is problem with policy conversion.

Share this post


Link to post
Share on other sites
I have created new policy and Startup Control works as expected.

Looks it is problem with policy conversion.

 

Hello!

 

May we consider this topic as resolved?

 

Thanks!

Share this post


Link to post
Share on other sites
Hello!

 

May we consider this topic as resolved?

 

Thanks!

From my point of view you should investigate what really happen during policy conversion and make a hotfix.

For big companies with a lot of different politics could be very difficult create new policies from the scratch and manually compare with the old ones.

 

Close this topic, but please inform your developers.

 

Share this post


Link to post
Share on other sites
From my point of view you should investigate what really happen during policy conversion and make a hotfix.

For big companies with a lot of different politics could be very difficult create new policies from the scratch and manually compare with the old ones.

 

Close this topic, but please inform your developers.

Sorry guys,

 

But it happend again.

I made a new category with SHA256 hashes only to that newly created policy.

Unfortunately KES on my PC doesn't obey rules.

What is interesting, it prohibites start also of Kaspersky Security Center console as Uncategorized even I have allowed KL categories.

 

From my point of view Startup Control functionality in KES 10 SP2 is useless.

Share this post


Link to post
Share on other sites
Sorry guys,

 

But it happend again.

I made a new category with SHA256 hashes only to that newly created policy.

Unfortunately KES on my PC doesn't obey rules.

What is interesting, it prohibites start also of Kaspersky Security Center console as Uncategorized even I have allowed KL categories.

 

From my point of view Startup Control functionality in KES 10 SP2 is useless.

 

Hello.

 

To investigate, please provide an example of such behavior (the latter scenario, with a newly created policy and SHA256-only category for a particular application that has been added but is still being blocked). Please provide the policy, export of the prohibition events, name/version of the application and KES traces as it is being prohibited.

 

Thank you.

Share this post


Link to post
Share on other sites
Hello.

 

To investigate, please provide an example of such behavior (the latter scenario, with a newly created policy and SHA256-only category for a particular application that has been added but is still being blocked). Please provide the policy, export of the prohibition events, name/version of the application and KES traces as it is being prohibited.

 

Thank you.

All requested data are on screenshots and traces are on download link: https://mondi.box.com/s/gjvx0wltrikbcte38gxirhl4bfiypjgx.

post-534654-1493361518.png

post-534654-1493361524.png

Prohibition.txt

Share this post


Link to post
Share on other sites
All requested data are on screenshots and traces are on download link: https://mondi.box.com/s/gjvx0wltrikbcte38gxirhl4bfiypjgx.

 

Hello,

 

please state KSC server version and attach klnagchk report.

We doubt about quality of server-agent connection.

KES policy could be delivered to client machines not in time.

Thank you.

Share this post


Link to post
Share on other sites
Hello,

 

please state KSC server version and attach klnagchk report.

We doubt about quality of server-agent connection.

KES policy could be delivered to client machines not in time.

Thank you.

 

KSC version: 10.4.343.0

Report is attached.

Agent.log

Share this post


Link to post
Share on other sites
KSC version: 10.4.343.0

Report is attached.

 

The connection seems to be OK.

Please provide the policy, export of the prohibition events, name/version of the application.

Thank you.

 

Share this post


Link to post
Share on other sites
The connection seems to be OK.

Please provide the policy, export of the prohibition events, name/version of the application.

Thank you.

Policy export is available here: https://mondi.box.com/s/m0ndya9x4n6nlz8pez3ns1v2ny891g6w

Ctegory export: https://mondi.box.com/s/il0ry99dpljufo9ozyz875r306t8o6m5

 

Application name: SecureCRT

Version: 8.1.1 (x64 build 1319)

 

This app is just an example. Also other apps from that category have same problem.

Edited by Julius Peterec

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×