×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

CSA 4.5.1.639 triggering an Alert with IE

Unanswered Question
Aug 25th, 2006
User Badges:

Does anyone know why IE keeps trying to perform this action? While searching i get prompts but cant determine what it is doing or if it should be allowed. Any ideas?


The process 'C:\Program Files\Internet Explorer\IEXPLORE.EXE' (as user **/**) attempted to access the registry key '\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Office Word\shell\edit\command', value ''. The attempted access was a write (operation = DELETE/KEY). The user was queried and a 'No' response was received.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
joseph.hamilton Fri, 08/25/2006 - 12:37
User Badges:

we also had this occur. We had to layer our System Hardening Module for a different issue and since then, the event has not occured. I think our attempt to alleviate this problem was going to be limiting the registry values the Web browser could write to non-system files.


As for the specific one that's coming up, that can be blocked without affecting user performance.

kerraj2004 Mon, 08/28/2006 - 09:41
User Badges:

Thanks, glad to hear that someone else had this arise. I just wanted to know what it was doing before I create a rule for it. I did deny 3 other rules and it appears no to have any negitive impact.



joseph.hamilton Mon, 08/28/2006 - 09:55
User Badges:

well, the registry key the event refers to basically adds to the "Open With" list for that extension.


That can be done manually, plus even when I allowed it to be written, nothing chnged in the registry.

kerraj2004 Wed, 08/30/2006 - 13:15
User Badges:

So, when you created exceptions for and IE did you create denies?


If so, when you create a deny rule can it be stopped from logging on the local machine so that it does not cause the flag to wave and the end users to see??


Thx

tsteger1 Wed, 08/30/2006 - 15:26
User Badges:
  • Red, 2250 points or more

Deny rules can be set to deny (not strong deny), not log and to take precedence over other deny rules.


That should keep the users from seeing anything.


Tom S

kerraj2004 Fri, 09/01/2006 - 09:36
User Badges:

I have set up the deny rule as a "high priority" deny with take precedence over other deny rules checked. This has not stopped the agent from logging this activity. The CSAMC does not log the activity but I cant stop it on the local agent.

tsteger1 Sat, 09/02/2006 - 16:41
User Badges:
  • Red, 2250 points or more

Change it from 'high priority deny' to 'deny' and it should stop logging at the local agent.


Tom S

kerraj2004 Tue, 09/05/2006 - 11:01
User Badges:

The only way to deny these processes is to use HIGH PRIORITY DENY but still unable to stop the logging on the local workstation.


Adam

tsteger1 Thu, 09/07/2006 - 15:30
User Badges:
  • Red, 2250 points or more

Why won't 'deny' work? Is there another rule that is conflicting?

kerraj2004 Fri, 09/08/2006 - 04:38
User Badges:

That is a very good question and I even have the the this rule take precedence over other denies checked.

tsteger1 Fri, 09/08/2006 - 13:28
User Badges:
  • Red, 2250 points or more

Try changing it to 'deny' not 'priority deny' and see if it still logs at the station.


I believe that precedence only works for the same level of action.


If you have a 'priority deny', it only takes precedence over other 'priority deny' rules. It has no effect on deny rules.


Tom S

RichardSW Sun, 09/10/2006 - 10:53
User Badges:
  • Bronze, 100 points or more

Yea, it has to do with IE referencing the registry for the HTML editor option.


You may have Word set as your html editor in IE. Open IE, go to Tools, Internet Options, Programs tab, change HTML Editor to "Notepad". After you Apply, you'll notice that the Standard Buttons bar will include a notepad icon instead of a Word icon.


Actions

This Discussion