CSA and Numara Track-IT problems

pdolby · ‎02-12-2008

We are having problems with allowing the Numara Track-IT application, version 8.0 to operate correctly with CSA. The two features of the application we are attempting to use are Audit and Take Control. We can usually audit a host without trouble, but experience problems when we try to take control of the host.

In our attempts to allow the Track-IT application to function as it needs to, we have created the following:

1. Separate group that contains all hosts except the MC

2. Policy that contains a single rule module

3. Rule module with rules as follows:

- Allows Track-IT application class to read and write all files

- Allows Track-IT application class to access all registry keys

- Allows Track-IT application class to all System APIs

- Allows Track-IT application class to run <All Applications>

- Allows Track-IT application class to act as server on all ports

- Allows Track-IT application class to act as client on all ports

- Allows Command Shell, MS Services, MS svchost, sysocmgr, winmgmt, wmiprvse, Recently Created Untrusted Content, to run Track-IT application class

- Allows All Applications to run Track-IT application class

We have essentially copied creating a Dynamic Application Class from Cisco Press book, Advanced Host Intrustion Prevention with CSA, pages 191-196. With all of that, we still cannot take control of the remote hosts. Nothing is logged in the CSA MC, and we receive messages from Track-IT such as "Software Push Failed", "Network Name Cannot be Found", or it just sits at "Waiting".

Any suggestions or assistance would be greatly appreciated.

Thank you in advance,

Paul

tsteger1 · ‎02-12-2008

What version of CSA?

What is in the Track-IT app class?

Try this:

Take a host out of every group except the Track-IT group.

Make the Track-IT app class not dynamic.

Detach any policies applied to the and attach to the Track-ITgroup.

Try to take control of the host.

That should isolate the Track-IT app class in case something else is stepping on it and set not to log.

Tom

pdolby · ‎02-12-2008

Thank you for taking the time to reply, Tom. The version of CSA is 5.2.245, and I have all executables that I can find in both the CSA MC and Program Files directory in the Track-IT application class.

I am going to try everything you suggest here and test in the morning. I appreciate the reply and will post the results in the morning.

Thanks,

Paul

pdolby · ‎02-13-2008

Hi Tom,

Your suggestions have been helpful and useful.

We have been able to audit and take control with the Track-IT policy applied. We then added another policy, our standard Approved Applications class, and again we had success. We have now added the hosts to the Desktops - All Types (5.2.245) and are going to test again. I will let you know the results.

Thanks again for your help.

Paul

tsteger1 · ‎02-13-2008

Glad to hear it Paul.

BTW, I meant to suggest detaching any policies from but not attach them to the Track-IT group.

Fortunately it wasn't a factor.

Let us know how it goes and please rate if it helps so others can benefit.

Tom

pdolby · ‎02-15-2008

I have had some good and some bad results.

The good was that with repeated testing, we were able to successfully audit and take control of a few computers, and all was good.

The bad was that the next day, those same computers all had issues with CSA detecting explorer.exe as exhibiting potential virus behavior and terminating the process. We had all hosts in the Desktops - All Types group, which we believe to be the only group that would block anything.

I have not had an opportunity to check back. I should have something further on Monday.

Thanks again,

Paul