Can anyone else post any examples of times they needed to make an exception for allowing a certain application to access system functions? I keep getting several trips of the rule for accessing system functions, and I'm sure there is no attack or spyware on the machine. The only event I can manually replicate is when Windows Media Player tries to access license files online ("CreateThread").
Just curious to see if anyone else has had to build an exception or allow rule for accessing system functions.
You have to keep in mind that the sample rules installed by default are nothing but just that, samples. They're not meant to just be applied in bulk, forcing you to make exceptions for all normal activity.
All of my rules are created from scratch, and I try to keep my policy lean. So I can't relate to the issue you're having. Can you reply back with what rules are triggering on system calls, and what their defaults are? We need to understand the objective of using that specific rule. Maybe there is an alternative rule you could use that accomplishes the same objective.
it might help to explain the context of why I'm trying to do this too, so here goes all...
I've seen several event logs where Rule 886 was tripped. Rule 886 is a System API rule in the General Application Permissions - all security levels rule module. The details of the rule are that it queries the user whenever a Network Application, MS explorer, rundll32.exe, or any media application, tries to "access system functions from code executing in data or stack space", which is listed under Atypical system behavior.
Most of these events occur late at night, and appear to be something dealing with updates or spyware scans. I haven't yet been able to isolate or replicate those. The only time I've been able to manually trip this rule is when Windows Media Player attempts to download license files for a CD/song, it will access "CreateThread" system function.
Now, the reason I'm worried about this is that end users are going to throw up their hands at the query, which says "Application xxxxx.exe is attempting to access System Function zzzzz. Would you like to allow this?". They're going to either have no idea what to do and call the Helpdesk or they're going to take a guess at what to do and could cause something bad.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :