02-13-2008 12:35 PM - edited 03-09-2019 08:06 PM
CSA built-in rule 700 denies attempts to access CSA processes. We're seeing MS Virtual PC (virtual pc.exe), Cisco VPN client (cvpnd.exe) and other non-AV related processes trying to access CSA resources. The details of the event don't provide much information as to why. Any thoughts?
02-13-2008 12:49 PM
Hello Michael,
Which rule is your rule 700? Is it an Agent Service Control?
Rule 700 is probably different for every CSA install after the first hotfix application (I don't even have a rule 700).
It may be you just need to exclude some application classes from logging in the agent protection rule.
Tom
02-13-2008 12:53 PM
Hi Tom - Yes, it is an Agent Service Control rule with description of "All applications (except virus scanners and installers), modify agent configuration".
I realize I could go ahead and exclude these apps from the rule, but am also trying to figure out why Virtual PC and Cisco's own VPN client would try to access/modify CSA processes.
Thanks.
02-13-2008 04:27 PM
Hi Michael,
I see several applications that try to read all files, hit the files in the CSA folder and trigger the rules.
Adobe Updater (acroaum.exe), cleanmgr.exe and findfast.exe (yes, findfast) are a few that come to mind.
I can't tell you why most of them do it.
Tom
02-14-2008 07:38 AM
Thanks Tom. Did you have to create any exceptions for these for the apps to work properly? We're still in test mode so trying to see what impact each of the events will have.
02-14-2008 10:26 AM
I either allowed it, had them uninstall it if it was unneccesary software (like findfast) or created an event supression filter.
I didn't see any impact on apps if they didn't have access.
Try protect mode on a few hosts and see what happens.
Tom
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide