Critical System Protection

 View Only

  • 1.  Logs are not detecting under Detection policy SCP

    Posted Aug 05, 2013 02:54 AM

    Hi, we have SCP client installed on windows server 2008 SP 1 and deployed default Prevention and Detection configuration and couple of the policies, but the agent system is only detected event logs under prevention policy, no logs are detecting under Detection policies. i have enclosed the policy details along with the conguration.

    can you please let me know what could be the reasion not detecting logs under Detection policy, is there nay group policy need to be deployed on the client system since the Agens are under Domain controler.

    Els is there any configuration need to be enabled on the Agent from host end or HIDS management console(Version 5.2.6).

    early support from anyone is highly apriciated.

     

    Attachment(s)

    zip
    Detection_DefaultCommonParameters.zip   773 B 1 version
    zip
    Prevent_Default CommonParameters.zip   768 B 1 version


  • 2.  RE: Logs are not detecting under Detection policy SCP

    Broadcom Employee
    Posted Aug 05, 2013 03:01 AM

    has there been any incidents for the policy applied?



  • 3.  RE: Logs are not detecting under Detection policy SCP

    Posted Aug 05, 2013 03:05 AM

    yes it is there..but the same in not detecting in SCP event logs



  • 4.  RE: Logs are not detecting under Detection policy SCP

    Posted Aug 05, 2013 06:43 AM

    So all of those applies Detection policies...none of them are triggering any events?



  • 5.  RE: Logs are not detecting under Detection policy SCP

    Posted Aug 06, 2013 02:05 AM

    no none of them are triggering only on 4 windows 2008 Service pack1 agents which i have intigrated with HIDS recently. 



  • 6.  RE: Logs are not detecting under Detection policy SCP

    Posted Aug 06, 2013 03:15 PM

    Do you see any the events locally in the Event Viewer?  If so, and they are not making it to the manager, then it is a config issue.

    The baseline detection policy should be triggering some events.  It looks like you have more than one baseline detection policy applied to this agent.

    As a test, remove all the detection policies and disable any prevention policies, or apply the null.  Apply the out-of-the-box Baseline Detection policy, and create a .txt file in the C:\Windows\  directory, then rename from .txt to .dll.  That shoud trigger an event.  

    Check the local event viewer and see if a detection event was logged.  If it was, then check the manager for the event.  That should help you narrow it down to either a config issue or a policy issue.

     

     



  • 7.  RE: Logs are not detecting under Detection policy SCP

    Posted Aug 07, 2013 01:17 AM

    Hi All, thank you so much. it was base line detection policy issue which deployed to the windos group.

    i have disable the same and redeployed on the Agent and now i can see couple of the logs on HIDS manager.smiley