cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
452
Views
5
Helpful
5
Replies

CSA: Log stop possible when action is Terminate Process

Oliver_Kuley
Level 1
Level 1

CSA triggers with one of the pre-configured rules, when WgaTray.exe tries to scan a host. WGA is Microsofts Windows Genuine Advantage, which we got with Windows Update some time ago. I could create an exception for that, but what if I'd like the CSA to block it permanently? How can I get rid of the event messages?

I have cloned the rule and changed it, so that it targets WgaTray.exe only. The problem is, even though I unticked the log option, a Terminate Process will create a dump and this results in another entry in the event log.

I then tried to change the action into a simple Deny, but then the original rule triggers first. Any idea what I could do?

1 Accepted Solution

Accepted Solutions

Hi Oliver,

You are correct that some process terminations will result in dumps and log entries (especially something like WGAtray.exe).

You could exclude wgatray.exe from the terminate process rule and then the deny and not log rule should work as you expect.

What specific rule (type, name and rule module) is generating this alert?

I don't see any alerts on my MC regarding WGAtray but I may not have the same policies applied.

Tom

View solution in original post

5 Replies 5

gojericho0
Level 1
Level 1

Have you tried to check the "Take precedence over other Priority Terminate rules" option?

I have created an allow exception for this rule, because I know the WGA software can be a real pain if it is not able to funtion. We had experiences with some updates not downloading and applying properly.

HTH

Thanks, but that doesn't help. A Deny rule will always be below any Terminate Process rules. I guess a Terminate Process action will always result in a dump and that will prompt a log entry.

Hi Oliver,

You are correct that some process terminations will result in dumps and log entries (especially something like WGAtray.exe).

You could exclude wgatray.exe from the terminate process rule and then the deny and not log rule should work as you expect.

What specific rule (type, name and rule module) is generating this alert?

I don't see any alerts on my MC regarding WGAtray but I may not have the same policies applied.

Tom

Hi Tom, thanks for the help. Looks like I failed to make the last step.

The rule is a System API control rule (186 in my installation of v5.2), "Network Applications, Access system functions from a buffer". The action is "Query user", defaulting to "Terminate process". This rule is in the "General Application Permissions - all Security Levels" rule module.

Looks good so far. I still need to create a few more Deny rules, now that the process isn't terminated.

Nice to hear and glad it worked.

Have fun with it.

Tom

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: