Processes attempting to "modify" CSA process

michael.lee · ‎02-13-2008

CSA built-in rule 700 denies attempts to access CSA processes. We're seeing MS Virtual PC (virtual pc.exe), Cisco VPN client (cvpnd.exe) and other non-AV related processes trying to access CSA resources. The details of the event don't provide much information as to why. Any thoughts?

tsteger1 · ‎02-13-2008

Hello Michael,

Which rule is your rule 700? Is it an Agent Service Control?

Rule 700 is probably different for every CSA install after the first hotfix application (I don't even have a rule 700).

It may be you just need to exclude some application classes from logging in the agent protection rule.

Tom

michael.lee · ‎02-13-2008

Hi Tom - Yes, it is an Agent Service Control rule with description of "All applications (except virus scanners and installers), modify agent configuration".

I realize I could go ahead and exclude these apps from the rule, but am also trying to figure out why Virtual PC and Cisco's own VPN client would try to access/modify CSA processes.

Thanks.

tsteger1 · ‎02-13-2008

Hi Michael,

I see several applications that try to read all files, hit the files in the CSA folder and trigger the rules.

Adobe Updater (acroaum.exe), cleanmgr.exe and findfast.exe (yes, findfast) are a few that come to mind.

I can't tell you why most of them do it.

Tom

milee1420 · ‎02-14-2008

Thanks Tom. Did you have to create any exceptions for these for the apps to work properly? We're still in test mode so trying to see what impact each of the events will have.

tsteger1 · ‎02-14-2008

I either allowed it, had them uninstall it if it was unneccesary software (like findfast) or created an event supression filter.

I didn't see any impact on apps if they didn't have access.

Try protect mode on a few hosts and see what happens.

Tom