Endpoint Protection

 View Only

  • 1.  Application Controol "Launch process" triggers on office files

    Posted Jan 07, 2014 06:51 AM

    Hi

    Just experienced a strange issue.

    I have created a “Launch process” rule in application control that should block launching processes from “my documents” folder for the end users. The strange thing is that the logs sometimes show that SEP blocks create processes on .pdf, xls and .doc files laying in my documents.

    The caller processes is then iexplorer.exe (Internet explorer). How come IE trigger launch statement on these files?

    Shouldn’t saving a office file trigger a write action, reading a read action and launching just trigger when opening applications? I could understand if Iexplorer.exe launched an executable in my documents, but office files?

    Are there any documents describing what “launch process” really means? I thought this only was .exe files, but looks like it use some other logic.

     

    Using 12.1.4

     

    Best Regards

    Torb



  • 2.  RE: Application Controol "Launch process" triggers on office files

    Posted Jan 07, 2014 06:56 AM

    this is what launch process attempt means

    http://service1.symantec.com/SUPPORT/ent-security.nsf/2326c6a13572aeb788257363002b62aa/7049d06ba3c9e86f802573620054d9c2?OpenDocument

    IE must be saving few kinds of cookies or any other files under my documents, 



  • 3.  RE: Application Controol "Launch process" triggers on office files

    Posted Jan 07, 2014 06:59 AM

    That's the strange thing. Internet explorer trigger "Create process" attempts with target that is .doc and .pdf files. Usually if it was ie it should trigger a write action and not a launch.



  • 4.  RE: Application Controol "Launch process" triggers on office files

    Posted Jan 07, 2014 07:05 AM

    May be because of Adobe updates which will be launched by IE?



  • 5.  RE: Application Controol "Launch process" triggers on office files

    Posted Jan 07, 2014 07:06 AM

    I don't think adobe updates will trigger on users office files..



  • 6.  RE: Application Controol "Launch process" triggers on office files

    Posted Jan 07, 2014 07:07 AM

    Can you post the log or a screenie of the event and how your A&DC policy is configured?

    The "Launch Process" behaviour should really apply to any execute command AFAIK.



  • 7.  RE: Application Controol "Launch process" triggers on office files

    Posted Jan 07, 2014 07:14 AM

    I changed it to %userprofile%\Documents\*.exe instead of %userprofile%\Documents\*.*

    This should solve the "problem" and cover my usecase. But doesn't really explain why an office file can trigger a "Launch Process" attempt. Any ideas?

    I wonder what the definition of "launch process" is? The user guides doesn't really give much technical insight.



  • 8.  RE: Application Controol "Launch process" triggers on office files

    Posted Jan 07, 2014 07:23 AM

    See scrrenshot below.

    "create process"  apply to following processes : %userprofile%\Documents\*.*

     



  • 9.  RE: Application Controol "Launch process" triggers on office files

    Posted Jan 07, 2014 10:42 AM

    The only thing I can think of that would trigger that sort of alert with your old policy is if IE was trying to launch an additional plugin in order to display the PDF within an IE window.

    Something to bear in mind if you are going to continue with your new A&DC policy (i.e. restricting it to certain extensions) is that you may want to add further extensions to the list beyond .exe.  Other executable extensions include .com, .vbs, .bin, and many others, and you might not want these to be launched if located within a normal user's profile.