×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

CSA Virus:Behavior.Excessive Policy Violations

Answered Question
Sep 2nd, 2009
User Badges:

Hi,


I have noticed a number of these surfacing in the quarantined applications.


Is there a way to tune this to prevent this from reocurring across all of the desktops.


As far as I can tell these events are not been recieved by the CSA server. i.e. Loging must be disabled for this event.

Correct Answer by jan.nielsen about 7 years 11 months ago

You need to find more information about why they are getting there, from the logs you should be getting some idea.

You can create a new group with no rules, and just enable the log override for Log Set Actions, and then apply this group to just one host where you are having the problem, this will give you all the logs that do things like add an application to an application class, like untrusted or active network applications and so on, this would probably give you an idea what is going on.


Few things to consider :


- Are they being marked as untrusted before all this multiple policy viol. happens ?

- Are they being installed by an install manager that hasn't been defined correctly in csa ?

- Is there an inventory tool scanning your pc's that hasn't been defined ?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
jan.nielsen Fri, 09/04/2009 - 01:44
User Badges:
  • Gold, 750 points or more

You need to find more information about why they are getting there, from the logs you should be getting some idea.

You can create a new group with no rules, and just enable the log override for Log Set Actions, and then apply this group to just one host where you are having the problem, this will give you all the logs that do things like add an application to an application class, like untrusted or active network applications and so on, this would probably give you an idea what is going on.


Few things to consider :


- Are they being marked as untrusted before all this multiple policy viol. happens ?

- Are they being installed by an install manager that hasn't been defined correctly in csa ?

- Is there an inventory tool scanning your pc's that hasn't been defined ?


jan.nielsen Fri, 09/04/2009 - 01:47
User Badges:
  • Gold, 750 points or more

BTW, untrusted applications can be found by doing a host diagnostics from the hosts page in csamc, or looking in the local machines registry in HKLM\SYSTEM\CurrentControlSet\Services\csacenter\Persistent\@DownloadedDB

ivickery Tue, 09/15/2009 - 19:22
User Badges:

Many thanks for your help, this work around allowed me to work out what was going on here.

Actions

This Discussion