Please help me resolve my problem, I`am testing CSA and when I try to translate word with Lingvo 12 press "Ctrl+C+C" or ''homing cursor mouse" nothing oocurs :-( I know this block Policies -
"Firewall - Centrally Managed (desktops)" something from this
Base - CSA client UI control Module to enable Cisco Security Agent client UI
Base - Network Application Classification Module Module to classify Network Applications
Security - Distributed Firewall - All Networks Prevent incoming server connections to Untrusted applications on all systems
Security - Distributed Firewall - Mobile Networks Prevent incoming server connections to All applications on all external systems
Security - IP Stack Hardening - Corporate Networks Module for hardening IP Stack on all internal systems
Security - IP Stack Hardening - Mobile Networks Module for hardening IP Stack on all external systems
Security - Network Worms Prevents Network Worms from exploiting network-facing services
Security - Network Worms (Medium or High Security Prevents) Network Worms from exploiting network-facing services when security level is Medium or..
Security - Remote Application Restrictions Prevent remote applications from making system modifications
Security - Signature-based protection - LPC-borne exploits Defend against LPC-borne exploits and DoS attacks
Security - Signature-based protection - MSRPC-borne exploits Defend against MSRPC-borne exploits and DoS attacks
Security - Stack recovery for critical services Recover stack for critical Windows service processes after fatal exceptions
But I don`t know what(
What does your log say on the csamc, any deny rules triggered related to Lingvo ?
Also, you should take a look in your local agent gui, look in the untrusted applications, if lingvo is in there, this could be the cause, normally because it as downloaded/installed via a webbrowser
I find this log
The process 'C:\Program Files\ABBYY Lingvo 12\LvAgent.exe' (as user ToX1c1986) attempted to insert code ('C:\Program Files\ABBYY Lingvo 12\LvHook.dll') into another process. All processes were targeted. The operation was denied.
I find rule " 1300 Untrusted Apps (not White List), Inject code into every application" In White List I add "$Directories - Program Files [V6.0.1 r98]"
But! In my company CSA now in Audit Mode only my computer not, I`am testing and when I try generate rules I see
"Modify application class Administrator defined - White List Applications [W, V6.0.1 r98] (read-only override)"
read-only override - does it mean that all computers which in Audit Mode after generate this rule will not in Audit Mode anymore?
No, it is an indication of you changing a read only policy, you should not add the whole program files directory to white list that would be bad, also only add the offending application in the csamc white list feature , not in the application class "Administrator defined - White List Applications [W, V6.0.1 r98]", you should not modify built-in polcies unless absolutely unavoidable.
Jan, Thanks a lot!
I know tha is bad :-( But I don`t konow where csamc white lis.
Also, how can I canceled generate rule?
Jan, maybe this
Configuration - Global Settings - Application Trust Levels and add my Lingvo here?
Yes, that is where you should your own white listed applications, You can't cancel a generate, but if you remove the program files class where you added it, the new rules will be the same, and no change will be done to the agents. Of course if you add the lingvo app to the white list, it will generate a new policy, but it won't affect hosts that are in audit mode.
Jan, in this filed I see "created by administrator ADMIN via the wizard" where is this wizard? or I can create just push New and paste
"**\Program Files\ABBYY Lingvo 12\LvAgent.exe" ?
You can create new entries in the white list manually like you did, or use the wizard button when you find an event in the csamc that you wan't to create an exeption for, the wizard will give you the choice of white listing the application that triggered the event.