I've been trying to find a way to prevent or at least query when Instant Messenger applications open another application (namely, I'm trying to catch when someone opens a link from one). I set up a monitor rule to monitor when an Instant Messenger application invokes ANY new application, but the rule is not triggering.
Any ideas? I'm thinking it might be because the IM app uses the SYSTEM application to open a new application, in which case I'll need to monitor when IM opens SYSTEM.
The current monitor rule uses the application class "Instant Messenger applications", which is the built-in class provided with the CSA installation. It includes the file set "Instant Messenger executables", which defines any files in the Program Files folder named aim.exe, trillian.exe, msmsgs.exe, and msnmsgr.exe. The application class uses only those processes, and not descendants.
The monitor looks for invoking of applications in the
I created the same rule based on the criteria you specified, and you're right, it doesn't work. It looks like the application doesn't open web browsers directly, but rather makes a call to the system which then opens it. This would make sense since applications don't know what the default browser is.
I did some testing with a COM Component Access Control rule, and wildcarded it so it would show me everything called by IM (I used Pandion, a jabber client, for this test). I then did the same thing with the default Windows Messenger. After I found what looked like a matching COM for the same action, I tested it with a 3rd client (Exodus, another jabber client) to confirm.
Update the Instant Messenger Applications class so it has these:
Let me know if you want to include Jabber clients - it will take me awhile to look up and the list will get HUGE. ;)
Create a new Component Set:
- Name: InternetShortcut Object
- PROGID's/CLSID's matching: InternetShortcut
Here is the COM Component Access Control rule you'll want to create:
- Take the following action: Deny
- when Applications in any of the following selected classes: Instant Messenger Applications
- But not in any of the following selected classes:
- Attempt to access a COM component Matching any of the following component sets: $InternetShortcut Object
There you go. That should block the standard Instant Messengers from opening a URL. Keep in mind that will not stop them from copying and pasting into the web browser.
Here's an example of a triggered event:
The process 'C:\Program Files\Messenger\msmsgs.exe' (as user unknown) attempted to access the COM component 'InternetShortcut'. The attempted access was to create the component. The operation was allowed by a rule (rule defaults).
It doesn't appear to be working with Trillian. I set up the rule to Query User when an Instant Messenger application attempts to access COM Object InternetShortcut Object. I haven't tested Windows Messenger yet, but Trillian doesn't trigger on the COM Object provided.
I had to add the Instant Messenger policy to my default group, but still it does not register any COM objects being loaded by Trillian
as a followup, I broadened the InternetShortcut COM to look for all COM Objects accessed by Instant Messenger applications, and trillian.exe is triggering the rule, but not when a link is clicked. It only triggers on startup (Accessing lnkfile COM Object)
Yea, wildcarding it for everything is how I came up with InternetShortcut. I wonder if Trillian is just being the black sheep. Try testing the original rule as-is with another application, and see if you get the same result. If that's the case, we need to see why your rule is not working the same way as my rule.
actually msmsgs.exe triggered for InternetExplorer.Application.1, and only once per hour. And that was the ONLY COM Object it's seeing (I used the wildcard rule to locate ALL COM Objects being used.)
When you're looking through the Event Log on the MC, do you have "Filter out duplicates" set to No or Yes? Needs to be No to see all of them.
Try and test it with Firefox set as your default browser as well.
I did make sure to take off filter out duplicates. For most of it, I was using Event Monitor anyway.
Also, after making Firefox.exe the default browser, the rule still did not trigger.