CSA prevents Sophos V7 from installing

Unanswered Question
Nov 7th, 2007
User Badges:

Hi,

We run CSA v4.5.1 on all our servers and desktops. We also run Sophos Anti-virus agent. Recently we upgraded to the latest version of Sophos (7.0.4) but noticed that it wasn't installing correctly. Further investigation confirmed that CSA was preventing Sophos from accessing a registry key called appinit_dlls. Sophos technical support confirmed this was necessary for the application to install correctly.

The CSA logs report nothing (even with the Log Deny overrride option), so we can't step through a wizard as we normally do when CSA prevents a legitimate application from behaving correctly. Also, putting the agent group into test mode has no effect either. What does work is manually disabling the CSA service while in Windows Safe Mode, restarting the PC, applying the Sophos application update, and then turning the CSA service back on again. Sophos is then able to carry out its ide file updates ok. Its just the initial update of the actual application that it runs into trouble with.

I have nearly 700 PC's I would have to apply this workaround to, so I'd appreciate if anyone had come across a more easily applied fix than this one.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
tsteger1 Wed, 11/07/2007 - 11:07
User Badges:
  • Red, 2250 points or more

Hi Mark,


Have you tried explicitly allowing the Sophos install and all it's descendants to access the registry key?


Did you try "Net stop csagent" (not in safe mode) and then try to install it?


HTH...


Tom

mln.01 Fri, 11/09/2007 - 05:38
User Badges:

Hi Tom,

Thanks for the reply. CSA does not allow itself to be stopped in anything other than safe mode. Can this be changed at the management console?


I can't explicitly allow Sophos to access the registry key because there is no indication from CSA that it is blocking this access. Therefore I'm not sure what rule or policy is casuing this issue. It is the Sophos logs that are reporting the issue.


We've logged a TAC with Cisco, and their only response so far has been to suggest putting CSA into Test mode (which should effectively disable CSA), and upping the logging by enabling the 'Log deny actions' rule override. Admittedly this seems to be a logical approach, yet neither has had any effect. Despite being in Safe mode, CSA still stops Sophos installing.

tsteger1 Sat, 11/10/2007 - 11:52
User Badges:
  • Red, 2250 points or more

Hi Mark,


Yes, you can allow agent interaction via an Agent UI rule applied via policy.


My thought was to allow the Sophos install to access the registry based on what you are seeing in the Sophos install logs.


If you explicitly allow it, it might allow the install (if that's all that is stopping it).


Tom



mln.01 Mon, 11/12/2007 - 03:03
User Badges:

Hi Tom,

I think I might be getting somewhere. I have nailed down the rule that is blocking the update (256), although it would appear to be something other than a direct Sophos exe that is running into issues. Here it is:


The process 'C:\WINNT\system32\msiexec.exe' (as user NT AUTHORITY\SYSTEM) attempted to modify a Cisco Security Agent resource Cisco Registry Key\Value: \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Windows\AppInit_DLLs. The operation was denied.


Research shows this to be a well used Windows installer agent, so there may be a risk of allowing this. However, I suppose I'll have to add the into the rule as an acceptable process for now. I have also defined Sophos within the list of AV software packages that is allowed.


Also, moving hosts directly out of their groups and into a test group allows the update to take place. However, I'd rather try to amend the rule base than negate CSA altogether if I could.


Any thoughts??


Thanks


Mark


tsteger1 Tue, 11/13/2007 - 10:13
User Badges:
  • Red, 2250 points or more

Hi Mark,


Sophos must have changed their install package to an MSI wrapper.

I think it's triggering because csauser.dll is listed in the AppInit_DLLs registry key so the agent protection rules kick in.


You could create an explicit allow rule or configure a dynamic rule that triggers when the Sophos install starts.

You'd probably need to include descendants of the Sophos install process then let the registry access take place.


There are existing app classes for msiexec that may work with this.


Tom

If you found away around this in your environment without using test mode could you please post some specifics. We are having the same issue moving from 6.5.10 to 7.0.4 and now it is rearing its head again on a 7.0.5 update (although not on every machine).

We have an environment of nearly 2000 machines so this has been painful.

I have battled with it but since it does not log that it is blocking anything it is very difficult to generate a rule for.


Thank you,

-Landon

tsteger1 Thu, 11/29/2007 - 09:04
User Badges:
  • Red, 2250 points or more

Hi Landon,


Do you not get similar messages to what Mark posted?


"The process 'C:\WINNT\system32\msiexec.exe' (as user NT AUTHORITY\SYSTEM) attempted to modify a Cisco Security Agent resource Cisco Registry Key\Value: \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Windows\AppInit_DLLs. The operation was denied."


This should give you something to make an exception for.


Tom


No, we do not see anything at all. CSA does not show that it is blocking any activity in any way shape or form on the machines being upgraded.

The local client does not show anything in messages, and there are no events in the MC.

As far as CSA is concerned it does not tell me it is interfering in any way, but it most certainly is since when we put them in test mode the upgrade runs just fine.

We do not want to keep throwing machines in and out of test mode during these upgrades.


Thanks for any help that you can provide,

-Landon

tsteger1 Thu, 11/29/2007 - 10:38
User Badges:
  • Red, 2250 points or more

Do you have any rules set not to log? I'm guessing you are running into something similar to what Mark posted since it seems like Sophos changed their install package.


Can you set up a machine for verbose logging with all rules set to log?


You could also try just creating an exception for msiexec to access the registry key mentioned previously.

I have created an exception rule for that registry key and it is being matched when I force an update.

However it will still fail if it is not in test mode.

I have looked through the logs on the local client after an update and it does not show that anything was blocked... it is killing me...


I have a case open with TAC, but they are dragging their feet. If we get it figured out I will post the findings.


Any other advice in the mean time?


Thanks,

-Landon

tsteger1 Thu, 11/29/2007 - 18:12
User Badges:
  • Red, 2250 points or more

You did confirm there are no rules set not to log, right?

You could also try broadening the exception or creating a dynamic app class for the install package.


Do you have the license for the analysis package? You might try that if you do.


Tom

I have gone through all of the rules that have matched an action on a machine and verified that they are logging.

I have also applied hot fix 106 now as suggested by Cisco which has not helped.

Sophos has released another engine update now 7.0.6 and this update is failing in our environment also.

Very strange and very frustrating.

tsteger1 Tue, 12/18/2007 - 10:39
User Badges:
  • Red, 2250 points or more

Hi Landon,


You created the registry exception for MSIEXEC and it's still failing?


You could try putting the rule(s) into test mode and keep logging enabled. That should allow the install and also give you more information.


If you still have problems, try removing a machine from all groups (except of course) and add it to one group at a time (or create a test group) until you get the failure.


That may help illuminate the cause and allow you to craft a solution.


Tom

TAC finally got back to me with something more concrete, here it is as an FYI.


Hopefully they will work with Sophos to resolve this issue permanently going forward.


Thanks for all of the thoughts and ideas!


This AppInit_DLLs entry is an important piece of CSA as it provides a hook into all applications as they load. The csauser.dll is loaded when an application runs, and provides, in our dll, buffer overflow protection and COM+ Component checks. What is happening is that Sophos apparently wants to hook the same way, however, we will not allow changes to the AppInit_DLLs string. And this protection is done by the agent w/o any true rules on the MC, which is why there is not a log.


Based upon the information I have there are two options. And only two options, both of which require specific coordination between the Sophos Rollout and CSA. I am checking with development for another option, but the two options are.

1) Testmode.

2) Stop the agent or turn the security level to Off then install.



Major bummer since it affects all point releases as well!! :(

tsteger1 Tue, 12/18/2007 - 14:15
User Badges:
  • Red, 2250 points or more

Hi Landon, thanks for posting back.


My previous thought was that CSA was protecting the registry string because it loaded a CSA dll.


I thought that if you allowed MSIEXEC access to the string when the Sophos install kicked off and removed it a few minutes later, it would allow the update to occur.


I don't know if the other poster resolved the issue but thought is was worth a shot.


Tom

Actions

This Discussion