Hi,
Im having trouble getting SEP 12.1.6 working properly with SDCS 6.5 and the protection core policy.
It seems that there is a script that is being blocked and Im unable to create a working exception for it.
Details are:
DETAILS
Description Process Assignment for CSCRIPT.EXE to svc_nopriv_ps
Policy Name sym_win_protection_core_sbp_TMSPRDT
Rule Name Programs that services should not execute
Process C:\WINDOWS\SYSTEM32\CSCRIPT.EXE
Parent Process C:\WINDOWS\SYSTEM32\WINLOGON.EXE
Module Path \WINDOWS\SYSTEM32\WLNOTIFY.DLL
Sandbox svc_nopriv_ps
Operation create
Process ID 13328
Thread ID 14048
Parent PID 4272
Arguments C:\WINDOWS\system32\cscript.exe //E:JScript //Job:AgentHIScript "C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.6306.6100.105\Bin\AVScript16.js" "48640" "Helper.exe" "Symantec.SSHelper" "C:" "22" "C:\WINDOWS\TEMP\" "0"
Process Signature Microsoft Signed (00039417)
Parent Process Signature Microsoft OS Component (00039437)
cscript.exe is blocked: Programs that services should not execute
When I create an exception to this Im struggling with the arguments, they are not fixed so Im trying to wildcard it but it is still being blocked.
//E:JScript //Job:AgentHIScript "C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.6306.6100.105\Bin\AVScript??.js" "?????" "Helper.exe" "Symantec.SSHelper" "C:" "??" "C:\WINDOWS\TEMP\" "0"
When I work with the above question marks it doesnt seem to work. Any ideas anyone?
Thanks a lot!