×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

CSA Shavlik Question

Unanswered Question
Oct 13th, 2005
User Badges:

We are using Shavlik HFNetChkPro for patch scanning and deployment. Our scans are generating Registry access control (rule 816)alerts. The alerts are triggering as follows:


The process '<remote application>'(as user DOMAIN\User) attempted to access the registry key '\WHATEVER\PATH\TO\REGISTRY\KEY' The attempted access was an open (operation = OPEN/KEY).


Since CSA does not recognize Shavlik HFNetChkPro as a known application, it does not provide the option to run the Rules Wizard. What is the best method to create an exception for this event?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
tsteger1 Mon, 10/17/2005 - 08:45
User Badges:
  • Red, 2250 points or more

Create a rule that allows remote registry access from the Domain\Admin or IP address of the machine. I'm guessing you don't run this from a lot of different machines or from user accounts.


Tom S

pmccubbin Tue, 10/23/2007 - 08:24
User Badges:
  • Silver, 250 points or more

Tom,


I realize this is an oldie but it doesn't mean we haven't spent a couple of days working on it.


We run it from one machine and one account.


Would you please spoon feed us a little bit more detail on where we would create this rule.


Thank you in advance!


Paul

tsteger1 Tue, 10/23/2007 - 11:26
User Badges:
  • Red, 2250 points or more

Hi Paul, you should be able to create a registry access rule to allow the process '' (as user Domain\Shavlik User) to access the registry keys in question.


How broad the registry key exception is depends on what is scanning.


HTH


Tom

larrybowers Wed, 10/08/2008 - 06:51
User Badges:

Tom, Paul or anyone else -


I'm trying to accomplish this using CSA ver 6 to allow Shavlik to update the server.


I have created a rule module with 2 rules.


The first rule is a registry access control and the second rule is a network access rule.


I'm having a hard time trying to understand what rules and what restrictions I can invoke. For instance Rule #1 is a Registry Control rule. For the application there is no choice in the application list (this is what the event log message is returning when Shavlik attemps to connect to the server).


Rule #2 allows me to restricet the IP address of the remote connection, but where can I restrict it to a certain user like Domain\User



If screen shots of the rules would help I can surley upload them.


Thanks


Actions

This Discussion