Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

CSA 4.5.1.639 triggering an Alert with IE

Does anyone know why IE keeps trying to perform this action? While searching i get prompts but cant determine what it is doing or if it should be allowed. Any ideas?

The process 'C:\Program Files\Internet Explorer\IEXPLORE.EXE' (as user **/**) attempted to access the registry key '\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Office Word\shell\edit\command', value ''. The attempted access was a write (operation = DELETE/KEY). The user was queried and a 'No' response was received.

12 REPLIES
New Member

Re: CSA 4.5.1.639 triggering an Alert with IE

we also had this occur. We had to layer our System Hardening Module for a different issue and since then, the event has not occured. I think our attempt to alleviate this problem was going to be limiting the registry values the Web browser could write to non-system files.

As for the specific one that's coming up, that can be blocked without affecting user performance.

New Member

Re: CSA 4.5.1.639 triggering an Alert with IE

Thanks, glad to hear that someone else had this arise. I just wanted to know what it was doing before I create a rule for it. I did deny 3 other rules and it appears no to have any negitive impact.

New Member

Re: CSA 4.5.1.639 triggering an Alert with IE

well, the registry key the event refers to basically adds to the "Open With" list for that extension.

That can be done manually, plus even when I allowed it to be written, nothing chnged in the registry.

New Member

Re: CSA 4.5.1.639 triggering an Alert with IE

So, when you created exceptions for and IE did you create denies?

If so, when you create a deny rule can it be stopped from logging on the local machine so that it does not cause the flag to wave and the end users to see??

Thx

Blue

Re: CSA 4.5.1.639 triggering an Alert with IE

Deny rules can be set to deny (not strong deny), not log and to take precedence over other deny rules.

That should keep the users from seeing anything.

Tom S

New Member

Re: CSA 4.5.1.639 triggering an Alert with IE

I have set up the deny rule as a "high priority" deny with take precedence over other deny rules checked. This has not stopped the agent from logging this activity. The CSAMC does not log the activity but I cant stop it on the local agent.

Blue

Re: CSA 4.5.1.639 triggering an Alert with IE

Change it from 'high priority deny' to 'deny' and it should stop logging at the local agent.

Tom S

New Member

Re: CSA 4.5.1.639 triggering an Alert with IE

The only way to deny these processes is to use HIGH PRIORITY DENY but still unable to stop the logging on the local workstation.

Adam

Blue

Re: CSA 4.5.1.639 triggering an Alert with IE

Why won't 'deny' work? Is there another rule that is conflicting?

New Member

Re: CSA 4.5.1.639 triggering an Alert with IE

That is a very good question and I even have the the this rule take precedence over other denies checked.

Blue

Re: CSA 4.5.1.639 triggering an Alert with IE

Try changing it to 'deny' not 'priority deny' and see if it still logs at the station.

I believe that precedence only works for the same level of action.

If you have a 'priority deny', it only takes precedence over other 'priority deny' rules. It has no effect on deny rules.

Tom S

New Member

Re: CSA 4.5.1.639 triggering an Alert with IE

Yea, it has to do with IE referencing the registry for the HTML editor option.

You may have Word set as your html editor in IE. Open IE, go to Tools, Internet Options, Programs tab, change HTML Editor to "Notepad". After you Apply, you'll notice that the Standard Buttons bar will include a notepad icon instead of a Word icon.

172
Views
5
Helpful
12
Replies
CreatePlease to create content