cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
383
Views
4
Helpful
9
Replies

CSA - Securing IM apps from opening links?

joseph.hamilton
Level 1
Level 1

I've been trying to find a way to prevent or at least query when Instant Messenger applications open another application (namely, I'm trying to catch when someone opens a link from one). I set up a monitor rule to monitor when an Instant Messenger application invokes ANY new application, but the rule is not triggering.

Any ideas? I'm thinking it might be because the IM app uses the SYSTEM application to open a new application, in which case I'll need to monitor when IM opens SYSTEM.

9 Replies 9

RichardSW
Level 1
Level 1

Can you post the details of the Rule? Also, if it uses any variables/sets, also post the details of those.

The current monitor rule uses the application class "Instant Messenger applications", which is the built-in class provided with the CSA installation. It includes the file set "Instant Messenger executables", which defines any files in the Program Files folder named aim.exe, trillian.exe, msmsgs.exe, and msnmsgr.exe. The application class uses only those processes, and not descendants.

The monitor looks for invoking of applications in the class.

I created the same rule based on the criteria you specified, and you're right, it doesn't work. It looks like the application doesn't open web browsers directly, but rather makes a call to the system which then opens it. This would make sense since applications don't know what the default browser is.

I did some testing with a COM Component Access Control rule, and wildcarded it so it would show me everything called by IM (I used Pandion, a jabber client, for this test). I then did the same thing with the default Windows Messenger. After I found what looked like a matching COM for the same action, I tested it with a 3rd client (Exodus, another jabber client) to confirm.

Update the Instant Messenger Applications class so it has these:

msmsgs.exe

aim.exe

ypager.exe

trillian.exe

icq.exe

icqlite.exe

msnmgr.exe

yahoomessenger.exe

googletalk.exe

Let me know if you want to include Jabber clients - it will take me awhile to look up and the list will get HUGE. ;)

Create a new Component Set:

- Name: InternetShortcut Object

- PROGID's/CLSID's matching: InternetShortcut

Here is the COM Component Access Control rule you'll want to create:

- Take the following action: Deny

- when Applications in any of the following selected classes: Instant Messenger Applications

- But not in any of the following selected classes:

- Attempt to access a COM component Matching any of the following component sets: $InternetShortcut Object

There you go. That should block the standard Instant Messengers from opening a URL. Keep in mind that will not stop them from copying and pasting into the web browser.

Here's an example of a triggered event:

The process 'C:\Program Files\Messenger\msmsgs.exe' (as user unknown) attempted to access the COM component 'InternetShortcut'. The attempted access was to create the component. The operation was allowed by a rule (rule defaults).

It doesn't appear to be working with Trillian. I set up the rule to Query User when an Instant Messenger application attempts to access COM Object InternetShortcut Object. I haven't tested Windows Messenger yet, but Trillian doesn't trigger on the COM Object provided.

I had to add the Instant Messenger policy to my default group, but still it does not register any COM objects being loaded by Trillian

as a followup, I broadened the InternetShortcut COM to look for all COM Objects accessed by Instant Messenger applications, and trillian.exe is triggering the rule, but not when a link is clicked. It only triggers on startup (Accessing lnkfile COM Object)

Yea, wildcarding it for everything is how I came up with InternetShortcut. I wonder if Trillian is just being the black sheep. Try testing the original rule as-is with another application, and see if you get the same result. If that's the case, we need to see why your rule is not working the same way as my rule.

actually msmsgs.exe triggered for InternetExplorer.Application.1, and only once per hour. And that was the ONLY COM Object it's seeing (I used the wildcard rule to locate ALL COM Objects being used.)

When you're looking through the Event Log on the MC, do you have "Filter out duplicates" set to No or Yes? Needs to be No to see all of them.

Try and test it with Firefox set as your default browser as well.

I did make sure to take off filter out duplicates. For most of it, I was using Event Monitor anyway.

Also, after making Firefox.exe the default browser, the rule still did not trigger.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: