Hi,
I am running SDCSS 6.0. Client in question is running a Hardened policy with Prevention disabled. I got the following event from a workstation and I am trying to figure out where I need to make a policy change. SQLSERVR.EXE is trying access a bunch of files such as templog.ldf and templog.mdf. I also have similar events for registry access. SQLSERVR.exe is assigned the hardened_ps but according to info from Symantec, Rule Name :i.AN;mssqlsrv is trigged by the targed. Do I have to turn off the SQL protection in the mssqlsrv sandbox to allow this connection? If I do, then I lose the protection.
SOURCE
Agent Name [replaced]
Host Name [replaced]
Host IP Address [replaced]
User Name NT AUTHORITY\SYSTEM
Agent Version 6.0.0.380
OS Type Windows
OS Version XP Service Pack 2
Agent Type CSP Native Agent
EVENT
Event Type File Access
Event Category Real Time - Prevention
Operation NtCreateFile
Event Severity Warning
Event Priority 45
Acknowledgement Status false
Event Date 24-Jul-2014 01:51:47 CDT
Post Date 24-Jul-2014 01:54:55 CDT
Post Delay 00:03:08
Event Duration 00:00:00
Event Count 1
Event ID 1375966
DETAILS
Description File Write Allowed for SQLSERVR.EXE on C:\Program Files\Microsoft SQL Server\MSSQL\Data\templog.ldf
Policy Name Hollister - Logging - Hardened - XP - Melbourne
Rule Name :i.AN;mssqlsrv
Internal Rule mssqlsrv Data Protection No Access
Process C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL\BINN\SQLSERVR.EXE
Module Path C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL\BINN\SQLSERVR.EXE
File Name C:\Program Files\Microsoft SQL Server\MSSQL\Data\templog.ldf
Agent State Prevention Globally Disabled
Disposition Allow
Sandbox hardened_ps
Operation NtCreateFile
OS Result 00000000 (SUCCESS)
SDCSS Result 00000000 (SUCCESS)
Permissions Requested 0012019F (read_control, synch, read_data, write_data, append_data, read_ea, write_ea, read_attr, write_attr)
NT Create Disposition 1 (open)
Process ID 180
Thread ID 620
Process Signature Unsigned (00000000)
Module Signature Unsigned (00000000)
Bob