Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

CSA - Access system functions?

Can anyone else post any examples of times they needed to make an exception for allowing a certain application to access system functions? I keep getting several trips of the rule for accessing system functions, and I'm sure there is no attack or spyware on the machine. The only event I can manually replicate is when Windows Media Player tries to access license files online ("CreateThread").

Just curious to see if anyone else has had to build an exception or allow rule for accessing system functions.

New Member

Re: CSA - Access system functions?

You have to keep in mind that the sample rules installed by default are nothing but just that, samples. They're not meant to just be applied in bulk, forcing you to make exceptions for all normal activity.

All of my rules are created from scratch, and I try to keep my policy lean. So I can't relate to the issue you're having. Can you reply back with what rules are triggering on system calls, and what their defaults are? We need to understand the objective of using that specific rule. Maybe there is an alternative rule you could use that accomplishes the same objective.

New Member

Re: CSA - Access system functions?

it might help to explain the context of why I'm trying to do this too, so here goes all...

I've seen several event logs where Rule 886 was tripped. Rule 886 is a System API rule in the General Application Permissions - all security levels rule module. The details of the rule are that it queries the user whenever a Network Application, MS explorer, rundll32.exe, or any media application, tries to "access system functions from code executing in data or stack space", which is listed under Atypical system behavior.

Most of these events occur late at night, and appear to be something dealing with updates or spyware scans. I haven't yet been able to isolate or replicate those. The only time I've been able to manually trip this rule is when Windows Media Player attempts to download license files for a CD/song, it will access "CreateThread" system function.

Now, the reason I'm worried about this is that end users are going to throw up their hands at the query, which says "Application xxxxx.exe is attempting to access System Function zzzzz. Would you like to allow this?". They're going to either have no idea what to do and call the Helpdesk or they're going to take a guess at what to do and could cause something bad.

New Member

Re: CSA - Access system functions?

We also encounted such event on our side, for third party applications, excel, IE,...

Seems that this rule generate lots of false positive.

Do you have an idea of what triggers all those false positive? "call a function from a buffer" is not really precise. I mean does CSA check only the return address on the call stack?

CreatePlease to create content