Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
314
Views
0
Helpful
3
Replies

CSA: How does one learn normal application behaviour?

pbobby
Level 1
Level 1

‎02-11-2004 10:47 AM - edited ‎03-09-2019 06:23 AM

I currently have CSA deployed in a pilot phase prior to a real rollout, and am having a hard time with understanding the operations of applications.

One particular user has webshots installed, and CSA claims it is capturing keystrokes. Now I know webshots was at one time famous for spyware, but never knew it captured keystrokes. Right now it appears that I get these 'keystroke capturing' msgs when the screensaver itself actually kicks in.

Another strange one is Microsoft Outlook. Periodically, several of my installations report that Outlook is trying to access various files in the %winddir%\system32 directory. Namely: net.exe, net1.exe, rcp.exe, regedt32.exe and so forth.

My problem here is that I don't know enough about these programs to know if what I am seeing is normal behaviour or not.

CSA seems great so far, but I'm having a hard time figuring out the right from wrong.

Labels:
0 Helpful
3 Replies 3

travis-dennis_2
Level 7
Level 7

‎02-11-2004 04:58 PM

Sounds like you might have some scripts running as well as some COM add-ins but it is hard to tell. I would watch that regdt32.exe though. If there is not a system admin where you work that can tell you what is going on the only other alternative is active monitoring. What were the users trying to do when the notifications took place? What was unusual about the activity. Generally Outlook would not make these types of calls on a regular but then I can't say what has been done and what is normal on another persons network,

Please remember to rate all posts

0 Helpful

pmays
Cisco Employee
Cisco Employee

‎02-18-2004 09:03 AM

Screensavers watch the keyboard to sense when there is activity. Similarly antivirus systems can do the same to know when to run a scan during inactivity.

From some recent messages the Outlook alerts look like they occur when Outlook (actually the file open dialog control)opens the file to retrieve the icon for display in the file list. Something to consider.

Since upgrading to Outlook 2003 I haven't seen the alert, not sure if it is coincidence or not at this time.

0 Helpful

pmays
Cisco Employee
Cisco Employee
In response to pmays

‎02-18-2004 09:12 AM

I am wrong. I can reproduce the Outlook alert by simply trying to attach a file from the system32 directory. I just wasn't paying attention enough to notice the waving CSA flag ;-) but when I was looking through my CSA events sure enough...And since it is a .exe file CSA just stops it without a user-popup. Later...

0 Helpful
Customers Also Viewed These Support Documents