Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CSA: Log stop possible when action is Terminate Process

CSA triggers with one of the pre-configured rules, when WgaTray.exe tries to scan a host. WGA is Microsofts Windows Genuine Advantage, which we got with Windows Update some time ago. I could create an exception for that, but what if I'd like the CSA to block it permanently? How can I get rid of the event messages?

I have cloned the rule and changed it, so that it targets WgaTray.exe only. The problem is, even though I unticked the log option, a Terminate Process will create a dump and this results in another entry in the event log.

I then tried to change the action into a simple Deny, but then the original rule triggers first. Any idea what I could do?

  • Other Security Subjects
1 ACCEPTED SOLUTION

Accepted Solutions
Blue

Re: CSA: Log stop possible when action is Terminate Process

Hi Oliver,

You are correct that some process terminations will result in dumps and log entries (especially something like WGAtray.exe).

You could exclude wgatray.exe from the terminate process rule and then the deny and not log rule should work as you expect.

What specific rule (type, name and rule module) is generating this alert?

I don't see any alerts on my MC regarding WGAtray but I may not have the same policies applied.

Tom

5 REPLIES
Bronze

Re: CSA: Log stop possible when action is Terminate Process

Have you tried to check the "Take precedence over other Priority Terminate rules" option?

I have created an allow exception for this rule, because I know the WGA software can be a real pain if it is not able to funtion. We had experiences with some updates not downloading and applying properly.

HTH

New Member

Re: CSA: Log stop possible when action is Terminate Process

Thanks, but that doesn't help. A Deny rule will always be below any Terminate Process rules. I guess a Terminate Process action will always result in a dump and that will prompt a log entry.

Blue

Re: CSA: Log stop possible when action is Terminate Process

Hi Oliver,

You are correct that some process terminations will result in dumps and log entries (especially something like WGAtray.exe).

You could exclude wgatray.exe from the terminate process rule and then the deny and not log rule should work as you expect.

What specific rule (type, name and rule module) is generating this alert?

I don't see any alerts on my MC regarding WGAtray but I may not have the same policies applied.

Tom

New Member

Re: CSA: Log stop possible when action is Terminate Process

Hi Tom, thanks for the help. Looks like I failed to make the last step.

The rule is a System API control rule (186 in my installation of v5.2), "Network Applications, Access system functions from a buffer". The action is "Query user", defaulting to "Terminate process". This rule is in the "General Application Permissions - all Security Levels" rule module.

Looks good so far. I still need to create a few more Deny rules, now that the process isn't terminated.

Blue

Re: CSA: Log stop possible when action is Terminate Process

Nice to hear and glad it worked.

Have fun with it.

Tom

129
Views
5
Helpful
5
Replies
This widget could not be displayed.