cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1753
Views
40
Helpful
15
Replies

CSA block

ToX1c1986
Level 1
Level 1

Hello!

Please help me resolve my problem, I`am testing CSA and when I try to translate word with Lingvo 12 press "Ctrl+C+C" or ''homing cursor mouse"  nothing oocurs :-( I know this block Policies -

"Firewall - Centrally Managed (desktops)" something from this

Base - CSA client UI control                                                  Module to enable Cisco Security Agent client UI   
Base - Network Application Classification Module                    Module to classify Network Applications     
Security - Distributed Firewall - All Networks                           Prevent incoming server connections to Untrusted applications on all systems    

Security - Distributed Firewall - Mobile Networks                     Prevent incoming server connections to All applications on all external systems    

Security - IP Stack Hardening - Corporate Networks                Module for hardening IP Stack on all internal systems    

Security - IP Stack Hardening - Mobile Networks                     Module for hardening IP Stack on all external systems    
Security - Network Worms                                                     Prevents Network Worms from exploiting network-facing services    
Security - Network Worms (Medium or High Security  Prevents) Network Worms from exploiting network-facing services when security level is Medium or..
Security - Remote Application Restrictions                              Prevent remote applications from making system modifications     
Security - Signature-based protection - LPC-borne exploits        Defend against LPC-borne exploits and DoS attacks     
Security - Signature-based protection - MSRPC-borne exploits    Defend against MSRPC-borne exploits and DoS attacks     
Security - Stack recovery for critical services                             Recover stack for critical Windows service processes after fatal exceptions    

But I don`t know what(

Regards

15 Replies 15

jan.nielsen
Level 7
Level 7

What does your log say on the csamc, any deny rules triggered related to Lingvo ?

Also, you should take a look in your local agent gui, look in the untrusted applications, if lingvo is in there, this could be the cause, normally because it as downloaded/installed via a webbrowser

Thank, Ian!

I find this log

The process 'C:\Program  Files\ABBYY Lingvo 12\LvAgent.exe' (as user ToX1c1986) attempted to insert  code ('C:\Program Files\ABBYY Lingvo 12\LvHook.dll') into another process. All  processes were targeted. The operation was denied.

I find rule  " 1300 Untrusted Apps (not White List), Inject code into every application" In White List I add "$Directories - Program Files [V6.0.1 r98]"

But! In my company CSA now in Audit Mode only my computer not, I`am testing and when I try generate rules I see

"Modify application class Administrator defined - White List Applications [W, V6.0.1 r98] (read-only override)"

read-only override -  does it mean that all computers which in Audit Mode after generate this rule will not in Audit Mode anymore?


No, it is an indication of you changing a read only policy, you should not add the whole program files directory to white list that would be bad, also only add the offending application in the csamc white list feature , not in the application class "Administrator defined - White List Applications [W, V6.0.1 r98]", you should not modify built-in polcies unless absolutely unavoidable.

Jan

Jan, Thanks a lot!

I know tha is bad :-( But I don`t konow where csamc white lis.

Also, how can I canceled generate rule?

Jan, maybe this

Configuration  -  Global Settings  -  Application Trust Levels and add my Lingvo here?

Yes, that is where you should your own white listed applications, You can't cancel a generate, but if you remove the program files class where you added it, the new rules will be the same, and no change will be done to the agents. Of course if you add the lingvo app to the white list, it will generate a new policy, but it won't affect hosts that are in audit mode.

Jan, in this filed I see "created by administrator ADMIN via the wizard"  where is this wizard? or I can create just push New and paste

"**\Program Files\ABBYY Lingvo 12\LvAgent.exe" ?

Could you post a screenshot ?

I push New afte generate rule in field "Source" you can see difference between my rule Lingvo and other

You can create new entries in the white list manually like you did, or use the wizard button when you find an event in the csamc that you wan't to create an exeption for, the wizard will give you the choice of white listing the application that triggered the event.

Yes, really! I create new rule with wizzard and try to generate my rule, but error

Error:Failed to prepare rules: Cmd_BulkInsert failed.

List my rule in attach

Thank you very much for help, Jan!

P.S. Are you received private message from me?

Looks strange, did you try to generate again, it might be a fluke incident. Dont think i got a priv msg from you.

Take a look at this post regarding the bulk insert error:

https://supportforums.cisco.com/message/930962#930962

Tom

Hello!

Thanks  for your reply!

Unfortunatelly, my CSA MC work on Windows Server  2003 and MDAC not support it. I afraid to install MDAC 2.8 on my server.  Also I have SQL 2005. Do you have any ideas how to resolve this  problem?

My CSA 5.2 server is also Windows Server 2003 and has MDAC 2.8 SP2 and SQL 2005 installed.

I suggest you run the version checker available here:

http://www.microsoft.com/downloads/details.aspx?FamilyId=8F0A8DF6-4A21-4B43-BF53-14332EF092C9

The problems may be related if you cannot generate the rules without error.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: