CSA: Log stop possible when action is Terminate Process

Answered Question
Jan 7th, 2008

CSA triggers with one of the pre-configured rules, when WgaTray.exe tries to scan a host. WGA is Microsofts Windows Genuine Advantage, which we got with Windows Update some time ago. I could create an exception for that, but what if I'd like the CSA to block it permanently? How can I get rid of the event messages?

I have cloned the rule and changed it, so that it targets WgaTray.exe only. The problem is, even though I unticked the log option, a Terminate Process will create a dump and this results in another entry in the event log.

I then tried to change the action into a simple Deny, but then the original rule triggers first. Any idea what I could do?

I have this problem too.
0 votes
Correct Answer by tsteger1 about 8 years 11 months ago

Hi Oliver,

You are correct that some process terminations will result in dumps and log entries (especially something like WGAtray.exe).

You could exclude wgatray.exe from the terminate process rule and then the deny and not log rule should work as you expect.

What specific rule (type, name and rule module) is generating this alert?

I don't see any alerts on my MC regarding WGAtray but I may not have the same policies applied.

Tom

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
gojericho0 Mon, 01/07/2008 - 07:19

Have you tried to check the "Take precedence over other Priority Terminate rules" option?

I have created an allow exception for this rule, because I know the WGA software can be a real pain if it is not able to funtion. We had experiences with some updates not downloading and applying properly.

HTH

Oliver_Kuley Mon, 01/07/2008 - 07:33

Thanks, but that doesn't help. A Deny rule will always be below any Terminate Process rules. I guess a Terminate Process action will always result in a dump and that will prompt a log entry.

Correct Answer
tsteger1 Mon, 01/07/2008 - 10:04

Hi Oliver,

You are correct that some process terminations will result in dumps and log entries (especially something like WGAtray.exe).

You could exclude wgatray.exe from the terminate process rule and then the deny and not log rule should work as you expect.

What specific rule (type, name and rule module) is generating this alert?

I don't see any alerts on my MC regarding WGAtray but I may not have the same policies applied.

Tom

Oliver_Kuley Tue, 01/08/2008 - 03:34

Hi Tom, thanks for the help. Looks like I failed to make the last step.

The rule is a System API control rule (186 in my installation of v5.2), "Network Applications, Access system functions from a buffer". The action is "Query user", defaulting to "Terminate process". This rule is in the "General Application Permissions - all Security Levels" rule module.

Looks good so far. I still need to create a few more Deny rules, now that the process isn't terminated.

Actions

This Discussion