CSA block

Unanswered Question
Apr 15th, 2010

Hello!

Please help me resolve my problem, I`am testing CSA and when I try to translate word with Lingvo 12 press "Ctrl+C+C" or ''homing cursor mouse"  nothing oocurs :-( I know this block Policies -

"Firewall - Centrally Managed (desktops)" something from this

Base - CSA client UI control                                                  Module to enable Cisco Security Agent client UI   
Base - Network Application Classification Module                    Module to classify Network Applications     
Security - Distributed Firewall - All Networks                           Prevent incoming server connections to Untrusted applications on all systems    

Security - Distributed Firewall - Mobile Networks                     Prevent incoming server connections to All applications on all external systems    

Security - IP Stack Hardening - Corporate Networks                Module for hardening IP Stack on all internal systems    

Security - IP Stack Hardening - Mobile Networks                     Module for hardening IP Stack on all external systems    
Security - Network Worms                                                     Prevents Network Worms from exploiting network-facing services    
Security - Network Worms (Medium or High Security  Prevents) Network Worms from exploiting network-facing services when security level is Medium or..
Security - Remote Application Restrictions                              Prevent remote applications from making system modifications     
Security - Signature-based protection - LPC-borne exploits        Defend against LPC-borne exploits and DoS attacks     
Security - Signature-based protection - MSRPC-borne exploits    Defend against MSRPC-borne exploits and DoS attacks     
Security - Stack recovery for critical services                             Recover stack for critical Windows service processes after fatal exceptions    

But I don`t know what(

Regards

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (8 ratings)
Loading.
jan.nielsen Sun, 04/18/2010 - 14:05

What does your log say on the csamc, any deny rules triggered related to Lingvo ?

Also, you should take a look in your local agent gui, look in the untrusted applications, if lingvo is in there, this could be the cause, normally because it as downloaded/installed via a webbrowser

ToX1c1986 Wed, 04/21/2010 - 02:29

Thank, Ian!

I find this log

The process 'C:\Program  Files\ABBYY Lingvo 12\LvAgent.exe' (as user ToX1c1986) attempted to insert  code ('C:\Program Files\ABBYY Lingvo 12\LvHook.dll') into another process. All  processes were targeted. The operation was denied.

I find rule  " 1300 Untrusted Apps (not White List), Inject code into every application" In White List I add "$Directories - Program Files [V6.0.1 r98]"

But! In my company CSA now in Audit Mode only my computer not, I`am testing and when I try generate rules I see

"Modify application class Administrator defined - White List Applications [W, V6.0.1 r98] (read-only override)"

read-only override -  does it mean that all computers which in Audit Mode after generate this rule will not in Audit Mode anymore?


jan.nielsen Wed, 04/21/2010 - 02:37

No, it is an indication of you changing a read only policy, you should not add the whole program files directory to white list that would be bad, also only add the offending application in the csamc white list feature , not in the application class "Administrator defined - White List Applications [W, V6.0.1 r98]", you should not modify built-in polcies unless absolutely unavoidable.

Jan

ToX1c1986 Wed, 04/21/2010 - 02:53

Jan, Thanks a lot!

I know tha is bad :-( But I don`t konow where csamc white lis.

Also, how can I canceled generate rule?

Jan, maybe this

Configuration  -  Global Settings  -  Application Trust Levels and add my Lingvo here?

jan.nielsen Wed, 04/21/2010 - 03:09

Yes, that is where you should your own white listed applications, You can't cancel a generate, but if you remove the program files class where you added it, the new rules will be the same, and no change will be done to the agents. Of course if you add the lingvo app to the white list, it will generate a new policy, but it won't affect hosts that are in audit mode.

ToX1c1986 Wed, 04/21/2010 - 03:47

Jan, in this filed I see "created by administrator ADMIN via the wizard"  where is this wizard? or I can create just push New and paste

"**\Program Files\ABBYY Lingvo 12\LvAgent.exe" ?

ToX1c1986 Wed, 04/21/2010 - 04:01

I push New afte generate rule in field "Source" you can see difference between my rule Lingvo and other

Attachment: 
jan.nielsen Wed, 04/21/2010 - 08:07

You can create new entries in the white list manually like you did, or use the wizard button when you find an event in the csamc that you wan't to create an exeption for, the wizard will give you the choice of white listing the application that triggered the event.

ToX1c1986 Wed, 04/21/2010 - 21:45

Yes, really! I create new rule with wizzard and try to generate my rule, but error

Error:Failed to prepare rules: Cmd_BulkInsert failed.

List my rule in attach

Thank you very much for help, Jan!

P.S. Are you received private message from me?

Attachment: 
jan.nielsen Thu, 04/22/2010 - 06:59

Looks strange, did you try to generate again, it might be a fluke incident. Dont think i got a priv msg from you.

ToX1c1986 Tue, 04/27/2010 - 02:59

Hello!

Thanks  for your reply!

Unfortunatelly, my CSA MC work on Windows Server  2003 and MDAC not support it. I afraid to install MDAC 2.8 on my server.  Also I have SQL 2005. Do you have any ideas how to resolve this  problem?

Actions

This Discussion