CSA rule for Application First Time Run

RichardSW · ‎09-13-2006

Awhile back I created an Application Control rule as follows:

- Take the following action: Monitor

- when Current applications in any of the following selected classe: <First Time Application Execute>

- But not in any of the following selected classes: <none>

- attempt to run New applications in any of the following selected classes: <All Applications>

- But not in any of the following selected classes: <First Time Application Execute>

This rule isn't working as planned. I get a lot of repeat events. The help text for <First Time Application Execute> is "This application class includes the first invocation of any application which has never been observed to execute on this system." I'm wondering if that is reset after a period of time or a reboot.

I'm wondering if I have the classes backwards in my rule...

Also, in what scenarios is the "Add New Process to Application Class" and "Add Current Process to Application Class" actions best used?

ssoberlik · ‎09-19-2006

For more information on this kindly follow the url's " http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_configuration_guide_chapter09186a00805aebf2.html

http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_configuration_guide_chapter09186a008066ea2f.html