DCS Policy Utility Download Link: https://www-secure.symantec.com/connect/downloads/symantec-dcs-policy-utility-v10
I'd like to expand on using the DCS Policy Utility as there's two parts that we need to consider when we are setting up a policy.
Routing vs Rules
Routing the item to the correct sandbox
Rules that are applied to that item once it is in that sandbox
We summarize this with the phrase "Is it in the right sandbox, does it have the right rules there"
If you don't have process assignment logging enabled globally as well as in any custom sandbox, you won't see if the process was routed to another sandbox. This could lead to something that you want to allow being denied and no log entry's for the event.
Here's two default deny sandboxes
Services - svc_nopriv_ps
User Mode applications - deny_ps
Example:
If we create a routing rule that routes notepad.exe to the built in deny_ps, you will see an entry in the event logs that shows it was routed there, the event type is PPST (process assignment). Since you can create custom sandboxes that are fully closed (denied) you'll need to check the policy for any of those items.
If the item is routed to the default deny sandboxes, you won't see an event as anything going there is denied. Just the process assignment to that sandbox.
Checking Routing
Checking routing to default denied sandboxes
[VALUE1]=svc_nopriv_ps,[VALUE1]=deny_ps
Checking Rules
By default the DCS Policy Utility will search for denied events
If prevention for the policy is disabled, you search for
[EVENT_TYPE]=Warning,[DISPOSITION]=Allowed
If prevention for the policy is enabled, you search for
[DISPOSITION]=Denied
Log rollover and additional details
• Running sisipsconfig –csv before replicating as issue will roll the bulk log this removes a lot of events that will hide what you are looking for
• Rebooting will surface all of the Sandbox assignment messages PPST so you can see why everything is running in their present sandbox (remember process do not always run in the same Sandbox so seeing the inheritance can explain outlying issues)
Where are events logged?
There's two logs for all Agent's
1) Bulk Log - everything that is logged is stored here
Filename: SISIDSEvents.csv
This is determined by the Policy Setting (Policy Specific)
2) Real Time Events Log - everything that will be sent to the manager is stored here (and sent to the manager)
Filename: SISIRTEvents.csv
This is determined by the Agent Configuration (Agent Specific)
The SISRTEventsXXX.csv is a filtered log of events but it is the SISIDSEvents.csv (BULK LOG) that has all of the agent events so to know all of what happened on the agent at that point in time it is the file you want to grab
By default, an assignment to a “deny” PS has a level of Warning, so it will be sent when the out of the box config is used, but no other process assignments will be sent to the manager. You will want to either gather the logs from the agent (which we recommend for the DCS Policy Utility), or modify the configuration to send these events to the manager.