cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
434
Views
7
Helpful
5
Replies

CSA Shavlik Question

unmjohn68
Level 1
Level 1

We are using Shavlik HFNetChkPro for patch scanning and deployment. Our scans are generating Registry access control (rule 816)alerts. The alerts are triggering as follows:

The process '<remote application>'(as user DOMAIN\User) attempted to access the registry key '\WHATEVER\PATH\TO\REGISTRY\KEY' The attempted access was an open (operation = OPEN/KEY).

Since CSA does not recognize Shavlik HFNetChkPro as a known application, it does not provide the option to run the Rules Wizard. What is the best method to create an exception for this event?

5 Replies 5

marks
Level 1
Level 1

I have the same issue, although w/ a different tool. I'll be curious to see what the resolution is.

tsteger1
Level 8
Level 8

Create a rule that allows remote registry access from the Domain\Admin or IP address of the machine. I'm guessing you don't run this from a lot of different machines or from user accounts.

Tom S

Tom,

I realize this is an oldie but it doesn't mean we haven't spent a couple of days working on it.

We run it from one machine and one account.

Would you please spoon feed us a little bit more detail on where we would create this rule.

Thank you in advance!

Paul

Hi Paul, you should be able to create a registry access rule to allow the process '' (as user Domain\Shavlik User) to access the registry keys in question.

How broad the registry key exception is depends on what is scanning.

HTH

Tom

Tom, Paul or anyone else -

I'm trying to accomplish this using CSA ver 6 to allow Shavlik to update the server.

I have created a rule module with 2 rules.

The first rule is a registry access control and the second rule is a network access rule.

I'm having a hard time trying to understand what rules and what restrictions I can invoke. For instance Rule #1 is a Registry Control rule. For the application there is no choice in the application list (this is what the event log message is returning when Shavlik attemps to connect to the server).

Rule #2 allows me to restricet the IP address of the remote connection, but where can I restrict it to a certain user like Domain\User

If screen shots of the rules would help I can surley upload them.

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: