• Announcements

    • Rodion Nagornov

      Недоступность форума // Forum maintenance   08/16/2017

      В связи с техническими работами форум будет недоступен с 20.00 (МСК) 18.08.2017. Максимальное время недоступности - до 20.00 (МСК) 20.08.2017. *** Due to maintenance forum will be unavailable since 8pm (+3 GMT) 18-Aug-2017. The longest possible time of maintenance - till 8.pm (+3 GMT) 20-Aug-2017.
Michel-B

Migrating Application Categories from SP1 to SP2 fails [2205111] [2178362]

28 posts in this topic

I've upgraded my KSC to 10.4.343 and now have issues with Application Startup Control. I understand this part has some significant changes to it and I had to recreate the policy, which is fine. The Application Categories I created did migrate to the new version so I used those when I built my new policy.

 

Now it turns out the whole component simply isn't working anymore because of some categories I've added. I'm using a White List setup but everything was whitelisted. Even executables and script that actually HIT the default deny rule were allowed.

 

How is this possible? And how do I use the categories I've created in the earlier versions? I suspect it has something to do with the fact I'm using a MD5 file hash as a condition, is this correct? If that's the case, I have a serious problem. I have hundreds of files added to my whitelist for this one company based on the MD5 file hash.

Share this post


Link to post
Share on other sites
QUOTE(Michel-B @ 15.05.2017 14:31)
I've upgraded my KSC to 10.4.343 and now have issues with Application Startup Control. I understand this part has some significant changes to it and I had to recreate the policy, which is fine. The Application Categories I created did migrate to the new version so I used those when I built my new policy.

 

Now it turns out the whole component simply isn't working anymore because of some categories I've added. I'm using a White List setup but everything was whitelisted. Even executables and script that actually HIT the default deny rule were allowed.

 

How is this possible? And how do I use the categories I've created in the earlier versions? I suspect it has something to do with the fact I'm using a MD5 file hash as a condition, is this correct? If that's the case, I have a serious problem. I have hundreds of files added to my whitelist for this one company based on the MD5 file hash.

 

Hello.

 

Due to the changes in file hash calculation between versions, certain categories might need to be recreated in order to work properly. Such categories will not show up when creating rules for KES SP2.

 

The white list issue might not be related however, in case you are using it in "Notify" mode, and not "Block" mode.

 

Thank you.

Share this post


Link to post
Share on other sites

Posted (edited)

Due to the changes in file hash calculation between versions, certain categories might need to be recreated in order to work properly. Such categories will not show up when creating rules for KES SP2.

 

This is a huge problem... I have literally hundreds of executables and scripts based on MD5 file hashes in there...

 

The white list issue might not be related however, in case you are using it in "Notify" mode, and not "Block" mode.

 

Sadly, no. I do have it set to Block.

 

hC2SZ7T.png

 

vgjyX2B.png

 

I believe this is a bug in KSC that's been around for a while now. Please refer to this topic where a similar issue occured: https://forum.kaspersky.com/index.php?showtopic=326757

 

I see now that, when I add a faulting category to a rule, the rule's name is displayed as 'Category is not defined' in KES and then breaks the entire module.

I also get the notification when the policy is applied:

 

Event type: Task settings error. Settings not applied

Edited by Michel-B

Share this post


Link to post
Share on other sites
QUOTE(Michel-B @ 15.05.2017 15:32)
This is a huge problem... I have literally hundreds of executables and scripts based on MD5 file hashes in there...

 

 

 

Sadly, no. I do have it set to Block.

 

hC2SZ7T.png

 

vgjyX2B.png

 

I believe this is a bug in KSC that's been around for a while now. Please refer to this topic where a similar issue occured: https://forum.kaspersky.com/index.php?showtopic=326757

 

I see now that, when I add a faulting category to a rule, the rule's name is displayed as 'Category is not defined' in KES and then breaks the entire module.

I also get the notification when the policy is applied:

 

Event type: Task settings error. Settings not applied

 

Please provide a screenshot of the entire properties section if possible.

Does this issue only occur when legacy categories are used in rules?

 

Thank you.

Share this post


Link to post
Share on other sites

Sadly, I can't really show the previous state anymore. In the meanwhile, I deleted the categories that showed up as 'Category is not defined' in KES and tried re-adding them.

 

In the screenshot below for example, you can see the category called KMWE Software SP1, but when I try to add this to the policy, it won't show up. I've created a new blank category named KMWE Software (without the SP1 in the name) and that does show up, but there's no way for me to copy all the items from the old category to the new one.

 

bbhFDt5.png

 

osAmoHj.png

 

Now, I'm going to make it even stranger. In my SP2 policy I have removed all of my categories except for Trusted Updaters, Golden Image and a category I've created myself called Safe Folders. I've just created this category from scratch, it didn't exist before. Right now, I did change the action to Notify because I don't want to interfere with people.

 

Qb55zQY.png

 

In the Safe Folders category I've added the folders for Program Files.

 

xoJFIJ0.png

 

Still, I'm getting all these events:

 

8XoFhZU.png

 

7BogRPl.png

 

This happens on a lot of clients (not sure if it's on all), and I can see the policy has been applied to these clients.

 

 

 

 

Share this post


Link to post
Share on other sites

In the scenario you describe in the previous post, the issue is different from the initial one. Please describe in more detail whether the applications that should be blocked are actually allowed, or vice versa, and under which condition this happens.

 

Thank you.

Share this post


Link to post
Share on other sites
In the scenario you describe in the previous post, the issue is different from the initial one. Please describe in more detail whether the applications that should be blocked are actually allowed, or vice versa, and under which condition this happens.

 

Thank you.

 

Ok lets focus on the last issue, since the first part is clearly bugged, I'll get back to that later.

 

A category with C:\Program Files\ and C:\Program Files (x86)\ added as Application Folders. I've also added a specific folder with an executable I use for testing just to be sure.

Example:

 

MP3noHm.png

 

5A1qcf1.png

 

JDPdbbb.png

 

Like I said, I've changed it to notify for testing purposes, but it's still reported as blocked in notify mode.

Share this post


Link to post
Share on other sites
QUOTE(Michel-B @ 15.05.2017 20:46)
Ok lets focus on the last issue, since the first part is clearly bugged, I'll get back to that later.

 

A category with C:\Program Files\ and C:\Program Files (x86)\ added as Application Folders. I've also added a specific folder with an executable I use for testing just to be sure.

Example:

 

MP3noHm.png

 

5A1qcf1.png

 

JDPdbbb.png

 

Like I said, I've changed it to notify for testing purposes, but it's still reported as blocked in notify mode.

 

Hello,

 

please attach klnagchk report from the host where the event occurred.

Thank you.

 

Share this post


Link to post
Share on other sites

I've sent a private message containing the logfile.

Share this post


Link to post
Share on other sites
QUOTE(Michel-B @ 15.05.2017 20:46)
Ok lets focus on the last issue, since the first part is clearly bugged, I'll get back to that later.

 

A category with C:\Program Files\ and C:\Program Files (x86)\ added as Application Folders. I've also added a specific folder with an executable I use for testing just to be sure.

Example:

 

MP3noHm.png

 

5A1qcf1.png

 

JDPdbbb.png

 

Like I said, I've changed it to notify for testing purposes, but it's still reported as blocked in notify mode.

 

Please provide the following data for investigation:

 

1. Export of the active policy

2. Export of local settings from KES host where the issue occurs

3. KES traces during the test application run

 

Thank you.

Share this post


Link to post
Share on other sites

Posted (edited)

Please check the private message.

Edited by Michel-B

Share this post


Link to post
Share on other sites

Any updates on this?

Share this post


Link to post
Share on other sites
QUOTE(Michel-B @ 18.05.2017 09:09)
Any updates on this?

 

Hello,

 

sorry for late response.

Please send all collected information to the user

Thank you.

 

Share this post


Link to post
Share on other sites
Hello,

 

sorry for late response.

Please send all collected information to the user

Thank you.

 

I did. Please check the message I sent on 16-5 at 10:11.

Share this post


Link to post
Share on other sites
QUOTE(Michel-B @ 18.05.2017 13:49)
I did. Please check the message I sent on 16-5 at 10:11.

 

Issue 2205111 was submitted.

Please wait information from developers.

Thank you.

 

Share this post


Link to post
Share on other sites
QUOTE(Michel-B @ 18.05.2017 13:49)
I did. Please check the message I sent on 16-5 at 10:11.

 

Information from developers :

 

Category "Safe Folders" does not appear in KES traces.

Please collect KES traces since KES launch:

1. enable KES traces - http://support.kaspersky.com/9343

2. reboot the computer

3. reproduce the problem (get a notification about prohibited application)

4. disable KES traces.

Thank you.

Share this post


Link to post
Share on other sites

Done. You have a new message with a link to the traces.

Share this post


Link to post
Share on other sites

I did that already, please check the message on 19.05.2017 14:43

Share this post


Link to post
Share on other sites
QUOTE(Michel-B @ 22.05.2017 08:55)
I did that already, please check the message on 19.05.2017 14:43

 

We sent the new traces to the developers. We will inform you later, when we get answer.

 

Thanks!

Share this post


Link to post
Share on other sites

I found out something...

 

When I add the path:

 

C:\Program Files\

 

It doesn't work.

However, when I add one of the following:

 

C:\Program Files\*

C:\Program Files\*.*

C:\Program Files\*.exe

 

It does work (the last one only for executables obviously). Has this changed in SP2? Because I never had to use the asterisk in SP1.

Share this post


Link to post
Share on other sites

Hi,

 

Thank you for that info!

Share this post


Link to post
Share on other sites

Still, if this is the solution it's unacceptable. Why has this behaviour suddenly changed?

Share this post


Link to post
Share on other sites
QUOTE(Michel-B @ 23.05.2017 10:07)
Still, if this is the solution it's unacceptable. Why has this behaviour suddenly changed?

Because, we changed the component functionality.

 

Thank you!

Share this post


Link to post
Share on other sites

Yet, there's no support articles that reflect this change.

 

Other question related to this: Before I was able to use variables in the folder path.

 

For example:

 

%userprofile%\AppData\Local\*

 

or

 

%localappdata%\Microsoft\*

 

Can you please verify if this is still supported? Executables added to the whitelist with these folder paths are not allowed anymore since upgrading to SP2.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now