do CSA block certains applications when learning mode enabled

Unanswered Question
Jun 16th, 2009
User Badges:

do CSA block certains applications when learning mode enabled?

Our client claim that there are some services that are blocked, like network-printing, network share for windows clients.

The CSA-MC log don't show these blocked services.

Best regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
tstanik Mon, 06/22/2009 - 08:37
User Badges:
  • Bronze, 100 points or more

While in learning mode, the agent is noting which applications run on the system and what those applications are allowed to do. Running the agent in learning mode for a certain amount of time allows it to learn the system's normal operating behavior and then provide security accordingly once learning mode is disabled. While in learning mode, the agent notes what applications are used to access the network and assigns those permissions automatically.

When the agent is taken out of learning mode, it will allow only those applications it previously noted to run in the manner in which they were used during the learning period. If the agent notices a new action that it has not learned taking place on the system, the agent queries the user, asking if it is okay for the application in question to access the resource in question. Once users reply to the query, the agent remembers the response and the next time the application is used, the same action is allowed or denied based on the initial response and users are not queried again.

tsteger1 Wed, 06/24/2009 - 10:30
User Badges:
  • Red, 2250 points or more

The answer is yes, in Learn Mode it will block certain applications if the rules are set to deny.

It will answer yes to any query rules that have allow as a choice for an answer.



This Discussion