Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CSA block

Hello!

Please help me resolve my problem, I`am testing CSA and when I try to translate word with Lingvo 12 press "Ctrl+C+C" or ''homing cursor mouse"  nothing oocurs :-( I know this block Policies -

"Firewall - Centrally Managed (desktops)" something from this

Base - CSA client UI control                                                  Module to enable Cisco Security Agent client UI   
Base - Network Application Classification Module                    Module to classify Network Applications     
Security - Distributed Firewall - All Networks                           Prevent incoming server connections to Untrusted applications on all systems    

Security - Distributed Firewall - Mobile Networks                     Prevent incoming server connections to All applications on all external systems    

Security - IP Stack Hardening - Corporate Networks                Module for hardening IP Stack on all internal systems    

Security - IP Stack Hardening - Mobile Networks                     Module for hardening IP Stack on all external systems    
Security - Network Worms                                                     Prevents Network Worms from exploiting network-facing services    
Security - Network Worms (Medium or High Security  Prevents) Network Worms from exploiting network-facing services when security level is Medium or..
Security - Remote Application Restrictions                              Prevent remote applications from making system modifications     
Security - Signature-based protection - LPC-borne exploits        Defend against LPC-borne exploits and DoS attacks     
Security - Signature-based protection - MSRPC-borne exploits    Defend against MSRPC-borne exploits and DoS attacks     
Security - Stack recovery for critical services                             Recover stack for critical Windows service processes after fatal exceptions    

But I don`t know what(

Regards

  • Other Security Subjects
15 REPLIES

Re: CSA block

What does your log say on the csamc, any deny rules triggered related to Lingvo ?

Also, you should take a look in your local agent gui, look in the untrusted applications, if lingvo is in there, this could be the cause, normally because it as downloaded/installed via a webbrowser

New Member

Re: CSA block

Thank, Ian!

I find this log

The process 'C:\Program  Files\ABBYY Lingvo 12\LvAgent.exe' (as user ToX1c1986) attempted to insert  code ('C:\Program Files\ABBYY Lingvo 12\LvHook.dll') into another process. All  processes were targeted. The operation was denied.

I find rule  " 1300 Untrusted Apps (not White List), Inject code into every application" In White List I add "$Directories - Program Files [V6.0.1 r98]"

But! In my company CSA now in Audit Mode only my computer not, I`am testing and when I try generate rules I see

"Modify application class Administrator defined - White List Applications [W, V6.0.1 r98] (read-only override)"

read-only override -  does it mean that all computers which in Audit Mode after generate this rule will not in Audit Mode anymore?


Re: CSA block

No, it is an indication of you changing a read only policy, you should not add the whole program files directory to white list that would be bad, also only add the offending application in the csamc white list feature , not in the application class "Administrator defined - White List Applications [W, V6.0.1 r98]", you should not modify built-in polcies unless absolutely unavoidable.

Jan

New Member

Re: CSA block

Jan, Thanks a lot!

I know tha is bad :-( But I don`t konow where csamc white lis.

Also, how can I canceled generate rule?

Jan, maybe this

Configuration  -  Global Settings  -  Application Trust Levels and add my Lingvo here?

Re: CSA block

Yes, that is where you should your own white listed applications, You can't cancel a generate, but if you remove the program files class where you added it, the new rules will be the same, and no change will be done to the agents. Of course if you add the lingvo app to the white list, it will generate a new policy, but it won't affect hosts that are in audit mode.

New Member

Re: CSA block

Jan, in this filed I see "created by administrator ADMIN via the wizard"  where is this wizard? or I can create just push New and paste

"**\Program Files\ABBYY Lingvo 12\LvAgent.exe" ?

Re: CSA block

Could you post a screenshot ?

New Member

Re: CSA block

I push New afte generate rule in field "Source" you can see difference between my rule Lingvo and other

Re: CSA block

You can create new entries in the white list manually like you did, or use the wizard button when you find an event in the csamc that you wan't to create an exeption for, the wizard will give you the choice of white listing the application that triggered the event.

789
Views
40
Helpful
15
Replies