Endpoint Protection

 View Only
  • 1.  Application control policy

    Posted Jan 21, 2010 10:33 AM
    I recently enabled the application control policy to log a malicious process. It caused some issues with a few machines so I disbaled it. Now, I have one machine that when rebooted each day, it will prompt the user to reboot. This happens every day. The policy is no longer enabled so I figure something must be "stuck" in the registry. What key(s) should I be looking at? I 'm sure I can uninstall the application and device control policy but would prefer not to. Using SEP 11.0.4

    app.JPG


  • 2.  RE: Application control policy

    Posted Jan 21, 2010 10:40 AM
    If this is the case with just one computer, you can perhaps try a repair install of SEP on that client... :) .. Lets see what you have got to tell us after a repair... :)


  • 3.  RE: Application control policy

    Posted Jan 21, 2010 10:41 AM

    For this particular machine in question which prompts for a restart   try moving this machine to a group where the users do not get such a prompt. Its possible that this particular client has not received the latest Application and Device Control policy   the one which you have withdrawn. Also check the policy serial number in SEPM as well as on the client machine which is giving us this error.

    policy serial number.JPG


  • 4.  RE: Application control policy

    Posted Jan 21, 2010 10:52 AM
    After checking the policy on my clients, it looks like they never picked the "new" policy which contained the disabled app control. So they still have the old policy with app control enabled. This appears to be the case across many locations. How can I force a complete policy refresh?


  • 5.  RE: Application control policy

    Posted Jan 21, 2010 10:55 AM
    Well, now that you have found out what's happening, you try to drop a Sylink.xml on the client... or alternatively, Like Sandip said.. move the client momentarily to anothr group... and move it back after its updated... :)


  • 6.  RE: Application control policy

    Posted Jan 21, 2010 11:00 AM
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysPlant
    Change the Value of Start to 4.


  • 7.  RE: Application control policy

    Posted Jan 21, 2010 11:09 AM
    It's a little harder to do that with 10,000 machines located throughout the world. The problem is happening on only a few machines (no more than 10 up to this point) but will the policy eventually update on it's own?

    I'm also finding machines that have a policy from December so I hope it will not download the one where I enabled the app control policy which could lead to more issues



  • 8.  RE: Application control policy

    Posted Jan 21, 2010 11:16 AM
     Thats right its not a solution its a workaround for handful systems..
    If the clients have not taken policy updates from december then it looks to be a communication prob between them..



  • 9.  RE: Application control policy

    Posted Jan 21, 2010 11:16 AM
    It's just taking some time to get the updates I guess.. May be due to bandwith.. ? ?! ... As of now, to avoid this restart prompt, you can very well go with Vikram's suggestion... The rest, we well have to observe ...


  • 10.  RE: Application control policy

    Posted Jan 21, 2010 11:28 AM
    Yes, I was a little surprised to see the policies on clients from Dec which means my logging policy would've never even worked on these machines. I'll do some more digging and deal with it on a case by case basis since it is few and far between at this point.