CSA 5.2 245 and EFS

Unanswered Question
Apr 16th, 2008

When attempting to encrypt folders in windows that contain .exe's and scripts the following CSA rule fires and blocks access:

Configuration > Rule Modules > Windows Rule Modules > Windows LSASS Security Module [V5.2 r245] > Rules File access control [137]

We don't want to fully disable this rule. Is there a workaround that will allow EFS to work without fully disabling the rule?

I haven't been able to decypher the difference between EFS encrypting a file and any other type of lsass.exe file writes..

Any suggestions?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
bwilmoth Tue, 04/22/2008 - 09:21

Here's the process to create the rule for administrators:

1. Configuration> Rule Modules> Windows Rule Modules> [New]

2. Enter {Name}

3. Under "State Conditions"

select "Apply this rule module only if the following state conditions are met"

check "User State Conditions"

select "Administrators"

4. Click on [Save]

5. Click on [Modify rules]

6. Click on [Add rule] and then [Agent Service Control]

7. Enter {Description}

8. Under "Query Settings" Select "Agent Service Control - Disable agent security"

9. Under "when" check "attempt to disable the agent security"

10. Click on [Save]


This Discussion