Video Screencast Help

CommericalApps.2 autoprotect risks

Created: 17 Jan 2008 • Updated: 21 May 2010 | 10 comments
My test workstation (my actual workstation) has logmein on it. Apparently SEP is detecting it every hour as a "risk:", pops up a window, and recommends I take no action.  It marks it as "Commercialapps.2".
I checkmark the exclude box but it keeps happening.
 
Now, I am aware of the central exclusion area of SEPM. But I am not sure how to enter this exclusion. I cannot find a risk designated as "Commercialapps.2".     There are six areas it is being detected in (broswer cache, process, service, file,etc.)
 
Any suggestions?

Comments 10 CommentsJump to latest comment

SKlassen's picture
I had this as well.  What worked for me was a TruScan Exception, specifying the path to the logmein executable (C:\program files\logmein\x86\logmein.exe).
Mike T's picture
okay.  I just had the process name, not the path. It is strange that it also still doesn't give me the choice to ignore, just "log only".  I will see if this fixes the problem on the client.
 
On a similar subject, when I add a Truscan Centralized Exception that is a choice called "Detected process exceptions".  However, there is nothing in it.  I would assume it would give me a choice from among detected processes it has seen on the clients.  Anyone see this and figure it out? 
SKlassen's picture
Yep, have to put in the full path.  Now the Centralized Exception UI does allow for using environmental variables to built a path, but I haven't figured out the proper syntax for it to work and it isn't worth the time to play with it.
Mike T's picture
well, I put it in the path, and it doesn't work.  I entered it as "process".exe, nada. I double-checked the path and no luck. That other area I talked about is stil blank.  It is strange as I had a risk scan for Spiceworks come up, and I was able to place an exception for that with no problems.  But that was a risk exception, not a truscan.
 
I really want to shoot this software, as their help file is very, well unhelpful. Kinda like looking at a box on the screen that says enter, and the help file says, "this is the enter box".  Not much help.
 
I'll keep playing with it and conduct my almost daily hunt for the SEPM KB of the day.  Geez.  It's like they think we got nothing better to do all day.
Mike T's picture
Okay, here is a part of the issue. The popup alert being generated on the client (commericalapps.2) is on the client log, but not being seen on the server's log.  According to the manual, I should of been able to see the alert on the server's logs and create an exception rule off the log entry.  The problem is that there is no server log entry, although the client's log shows an entry every hour or so.
 
So I guess the client is not communicating correctly to the server?  Anyone having any problems with this?
SKlassen's picture
Looks like yours might be getting detected by a different component than mine was.  Have to setup the exception based on the component that is "catching" it.  Reading back to your original post, the blocked message that your getting says that it is a Security Risk, so that's the exception you have to make.    In your Centralized Exception policy, click on add, goto Security Risk Exceptions>File, then add in the path to the file that was referenced in the alert message, which I assume is logmein.exe.
Mike T's picture
I'll try that but the client log does show that the scan engine generating the error is TruScan. 
Danny Nilsson's picture
What i didt to disable this message was,
 
1. Entering policy
2. Entering Antivirus and Antispyware
3. Choosing TruScan
4. When commercial keylogger is detected = Ignore.
 
Or else
 
disable the notification the same place so the clint dont see anything
 
but its right i cant see it in the logs anywhere
LasseF's picture
Hi
 
How can I create a list/report of clients that receive the message regarding WinVNC4?
 
We have just bought SEP and I am trying it out on some of our client computer including my own. On some of the computers we receive the WinVNC4 risk message, I have added it to the centralized exception list but would like to create a list/report with all the users that receives it.
Do I have to create some sort of survaillance before I can create a report?
 
/Lasse



Message Edited by Lasse Froberg on 04-16-2008 02:49 AM

Message Edited by Lasse Froberg on 04-16-2008 02:50 AM

a_gunslinger's picture

Isnt that message flagging PCAnywhere?  I uninstalled PCAnywhere and the message went away.  I laughed a little that a Symantec product was being flagged by Symantec code.