Endpoint Protection

 View Only

  • 1.  Enabling Application and Device Control (Logging Only) Caused Outage at Serveral Customers

    Posted Jan 18, 2010 12:44 PM

    Over the weekend we decided to enable Application Device Control by testing 2 Rule Sets in Test (log only) mode. We used 1. Block Modifications to hosts file and 2. Protect client files and registry keys (of SEP). Everything seemed fine until this morning when one of our customers came in and contacted us to let us know that they could not get into anything. Upon investigating the network we found most of the machines disconnected from the network although they were definetly turned on. We immediately de-checked the Enabled boxes on the two rule sets and had everyone restart. Once they restarted everything went back to normal with no issues. We checked the Application and Device Control Logs and found tons of blocked processes / etc. My question is: If we only setup the rules to LOG how come it decided to start blocking all sorts of stuff. The logs below clearly say it is in TEST mode = 1 . Basically SEP thought that a bunch of processes on the client machine were trying to attack it so it squashed them. If you need any additional information please let me know. We would really like to know how this happened.

    Time Stamp Event Type Event Time Severity Host Name Action Test Mode Description API Encoded API Name Begin Time End Time Rule ID Rule Name Caller Process ID Caller Process Name Return Address Return Module Parameter Alert Send Snmp Trap User Name Domain Name Site Name Server Name Group Name Computer Name
    1/18/2010 9:52 Application Control Driver 1/18/2010 9:49 Info DOOLEY-OP4A Continue 0 Application and Device Control is ready System   1/18/2010 9:49 1/18/2010 9:49   Built-in rule 0 SysPlant 0 SysPlant None 0 0 None Default STFCONSULTING MSP STF- My Company\STF_MSP\DR EDWARD DOOLEY\Workstations 32bit DOOLEY-OP4A
    1/18/2010 9:31 Application Control Rules 1/18/2010 9:25 Minor DOOLEY-FD3 Block 1   Registry Write   1/18/2010 9:24 1/18/2010 9:24   Client services_Write Registry 2008 C:/WINDOWS/system32/wbem/wmiprvse.exe 0 No Module Name /REGISTRY/MACHINE/SYSTEM/CurrentControlSet/Services/Symantec AntiVirus/Performance 0 0 NETWORK SERVICE Default STFCONSULTING MSP STF- My Company\STF_MSP\DR EDWARD DOOLEY\Workstations 32bit DOOLEY-FD3
    1/18/2010 9:31 Application Control Rules 1/18/2010 9:25 Minor DOOLEY-FD3 Block 1   Registry Write   1/18/2010 9:24 1/18/2010 9:24   Client services_Write Registry 2008 C:/WINDOWS/system32/wbem/wmiprvse.exe 0 No Module Name /REGISTRY/MACHINE/SYSTEM/CurrentControlSet/Services/SymEvent/Performance 0 0 NETWORK SERVICE Default STFCONSULTING MSP STF- My Company\STF_MSP\DR EDWARD DOOLEY\Workstations 32bit DOOLEY-FD3
    1/18/2010 9:31 Application Control Rules 1/18/2010 9:25 Minor DOOLEY-FD3 Block 1   Registry Write   1/18/2010 9:24 1/18/2010 9:24   Client services_Write Registry 2008 C:/WINDOWS/system32/wbem/wmiprvse.exe 0 No Module Name /REGISTRY/MACHINE/SYSTEM/CurrentControlSet/Services/SysPlant/Performance 0 0 NETWORK SERVICE Default STFCONSULTING MSP STF- My Company\STF_MSP\DR EDWARD DOOLEY\Workstations 32bit DOOLEY-FD3
    1/18/2010 9:31 Application Control Rules 1/18/2010 9:25 Minor DOOLEY-FD3 Block 1   Registry Write   1/18/2010 9:24 1/18/2010 9:24   Client services_Write Registry 2008 C:/WINDOWS/system32/wbem/wmiprvse.exe 0 No Module Name /REGISTRY/MACHINE/SYSTEM/CurrentControlSet/Services/Teefer2/Performance 0 0 NETWORK SERVICE Default STFCONSULTING MSP STF- My Company\STF_MSP\DR EDWARD DOOLEY\Workstations 32bit DOOLEY-FD3
    1/18/2010 9:31 Application Control Rules 1/18/2010 9:25 Minor DOOLEY-FD3 Block 1   Registry Write   1/18/2010 9:24 1/18/2010 9:24   Client services_Write Registry 2008 C:/WINDOWS/system32/wbem/wmiprvse.exe 0 No Module Name /REGISTRY/MACHINE/SYSTEM/CurrentControlSet/Services/WPS/Performance 0 0 NETWORK SERVICE Default STFCONSULTING MSP STF- My Company\STF_MSP\DR EDWARD DOOLEY\Workstations 32bit DOOLEY-FD3
    1/18/2010 9:31 Application Control Rules 1/18/2010 9:25 Minor DOOLEY-FD3 Block 1   Registry Write   1/18/2010 9:24 1/18/2010 9:24   Client services_Write Registry 2008 C:/WINDOWS/system32/wbem/wmiprvse.exe 0 No Module Name /REGISTRY/MACHINE/SYSTEM/CurrentControlSet/Services/WpsHelper/Performance 0 0 NETWORK SERVICE Default STFCONSULTING MSP STF- My Company\STF_MSP\DR EDWARD DOOLEY\Workstations 32bit DOOLEY-FD3
    1/18/2010 9:31 Application Control Rules 1/18/2010 9:25 Minor DOOLEY-FD3 Block 1   Registry Write   1/18/2010 9:24 1/18/2010 9:24   Client services_Write Registry 2008 C:/WINDOWS/system32/wbem/wmiprvse.exe 0 No Module Name /REGISTRY/MACHINE/SYSTEM/CurrentControlSet/Services/ccEvtMgr/Performance 0 0 NETWORK SERVICE Default STFCONSULTING MSP STF My Company\STF_MSP\DR EDWARD DOOLEY\Workstations 32bit DOOLEY-FD3
    1/18/2010 9:31 Application Control Rules 1/18/2010 9:25 Minor DOOLEY-FD3 Block 1   Registry Write   1/18/2010 9:24 1/18/2010 9:24   Client services_Write Registry 2008 C:/WINDOWS/system32/wbem/wmiprvse.exe 0 No Module Name /REGISTRY/MACHINE/SYSTEM/CurrentControlSet/Services/ccSetMgr/Performance 0 0 NETWORK SERVICE Default STFCONSULTING MSP STF- My Company\STF_MSP\\Workstations 32bit DOOLEY-FD3
    1/18/2010 9:31 Application Control Rules 1/18/2010 9:25 Minor DOOLEY-FD3 Block 1   Registry Write   1/18/2010 9:24 1/18/2010 9:24   Client services_Write Registry 2008 C:/WINDOWS/system32/wbem/wmiprvse.exe 0 No Module Name /REGISTRY/MACHINE/SYSTEM/CurrentControlSet/Services/EraserUtilRebootDrv/Performance 0 0 NETWORK SERVICE Default STFCONSULTING MSP STF- My Company\STF_MSP\\Workstations 32bit DOOLEY-FD3
    1/18/2010 9:31 Application Control Rules 1/18/2010 9:25 Minor DOOLEY-FD3 Block 1   Registry Write   1/18/2010 9:24 1/18/2010 9:24   Client services_Write Registry 2008 C:/WINDOWS/system32/wbem/wmiprvse.exe 0 No Module Name /REGISTRY/MACHINE/SYSTEM/CurrentControlSet/Services/SmcService/Performance 0 0 NETWORK SERVICE Default STFCONSULTING MSP STF- My Company\STF_MSP\\Workstations 32bit DOOLEY-FD3
    1/18/2010 9:31 Application Control Rules 1/18/2010 9:25 Minor DOOLEY-FD3 Block 1   Registry Write   1/18/2010 9:24 1/18/2010 9:24   Client services_Write Registry 2008 C:/WINDOWS/system32/wbem/wmiprvse.exe 0 No Module Name /REGISTRY/MACHINE/SYSTEM/CurrentControlSet/Services/SNAC/Performance 0 0 NETWORK SERVICE Default STFCONSULTING MSP STF- My Company\STF_MSP\\Workstations 32bit DOOLEY-FD3
    1/18/2010 9:31 Application Control Rules 1/18/2010 9:25 Minor DOOLEY-FD3 Block 1   Registry Write   1/18/2010 9:24 1/18/2010 9:24   Client services_Write Registry 2008 C:/WINDOWS/system32/wbem/wmiprvse.exe 0 No Module Name /REGISTRY/MACHINE/SYSTEM/CurrentControlSet/Services/SnacNp/Performance 0 0 NETWORK SERVICE Default STFCONSULTING MSP STF My Company\STF_MSP\ \Workstations 32bit DOOLEY-FD3
    1/18/2010 9:31 Application Control Rules 1/18/2010 9:25 Minor DOOLEY-FD3 Block 1   Registry Write   1/18/2010 9:24 1/18/2010 9:24   Client services_Write Registry 2008 C:/WINDOWS/system32/wbem/wmiprvse.exe 0 No Module Name /REGISTRY/MACHINE/SYSTEM/CurrentControlSet/Services/SPBBCDrv/Performance 0 0 NETWORK SERVICE Default STFCONSULTING MSP STF- My Company\STF_MSP\orkstations 32bit DOOLEY-FD3
    1/18/2010 9:31 Application Control Rules 1/18/2010 9:25 Minor DOOLEY-FD3 Block 1   Registry Write   1/18/2010 9:24 1/18/2010 9:24   Client services_Write Registry 2008 C:/WINDOWS/system32/wbem/wmiprvse.exe 0 No Module Name /REGISTRY/MACHINE/SYSTEM/CurrentControlSet/Services/SRTSP/Performance 0 0 NETWORK SERVICE Default STFCONSULTING MSP STF- My Company\STF_MSP\\Workstations 32bit DOOLEY-FD3
    1/18/2010 9:31 Application Control Rules 1/18/2010 9:25 Minor DOOLEY-FD3 Block 1   Registry Write   1/18/2010 9:24 1/18/2010 9:24   Client services_Write Registry 2008 C:/WINDOWS/system32/wbem/wmiprvse.exe 0 No Module Name /REGISTRY/MACHINE/SYSTEM/CurrentControlSet/Services/SRTSPL/Performance 0 0 NETWORK SERVICE Default STFCONSULTING MSP STF- My Company\STF_MSP\\Workstations 32bit DOOLEY-FD3
    1/18/2010 9:31 Application Control Rules 1/18/2010 9:25 Minor DOOLEY-FD3 Block 1   Registry Write   1/18/2010 9:24 1/18/2010 9:24   Client services_Write Registry 2008 C:/WINDOWS/system32/wbem/wmiprvse.exe 0 No Module Name /REGISTRY/MACHINE/SYSTEM/CurrentControlSet/Services/SRTSPX/Performance 0 0 NETWORK SERVICE Default STFCONSULTING MSP STF My Company\STF_MSP\\Workstations 32bit DOOLEY-FD3



  • 2.  RE: Enabling Application and Device Control (Logging Only) Caused Outage at Serveral Customers

    Posted Jan 18, 2010 12:48 PM
     Once you edit the policy that you enabled and go to actions..what is it set to ??




  • 3.  RE: Enabling Application and Device Control (Logging Only) Caused Outage at Serveral Customers

    Posted Jan 18, 2010 12:49 PM
    here it says ,block, so it blocked it, are you sure about your policies?
    :)


  • 4.  RE: Enabling Application and Device Control (Logging Only) Caused Outage at Serveral Customers

    Posted Jan 18, 2010 12:53 PM
    This is how it was setup.

    Capture4.PNG


  • 5.  RE: Enabling Application and Device Control (Logging Only) Caused Outage at Serveral Customers

    Posted Jan 18, 2010 12:54 PM
    Also the logs says I was in test mode. Could this be a potential bug?


  • 6.  RE: Enabling Application and Device Control (Logging Only) Caused Outage at Serveral Customers

    Posted Jan 18, 2010 12:59 PM
    even if its in log only
    if you edit the policy and check registry access,(protect client files) for create, delete its allways block, i think you should have changed this , did you ?


  • 7.  RE: Enabling Application and Device Control (Logging Only) Caused Outage at Serveral Customers

    Posted Jan 18, 2010 01:01 PM
    this is what i took from the help file

    About Test mode

    When you create an application control rule set, you create it in the default mode, which is Test (log only) mode. Test mode lets you test your rules before you enable them. In Test mode, no actions are applied, but the actions that you have configured are logged as if they had been applied. Using Test mode, you can assign the policy to groups and locations and generate a client Control log. Examine the client Control logs for errors and make corrections to the rule as necessary. When the policy operates as you expect it to, you can change the mode to Production mode to implement the application control rule set.

    A best practice is to run all rule sets in Test mode for a period of time before you switch them to Production mode. This practice reduces the potential for the problems that can occur when you do not anticipate all the possible ramifications of a rule.



  • 8.  RE: Enabling Application and Device Control (Logging Only) Caused Outage at Serveral Customers

    Posted Jan 18, 2010 01:06 PM

    I am using the default rule that came with SEP. It was definetly in TEST mode and stuff was being blocked very aggressively. I definetly think that something is not right here. I really did not do anything that out of the ordinary. All I did was take one of the default rules and enable it and change it to Log Only.



  • 9.  RE: Enabling Application and Device Control (Logging Only) Caused Outage at Serveral Customers

    Posted Jan 18, 2010 01:16 PM
    in test mode its just suppose to log only.should not take any actions.
    however the report would say as though it is blocked...
     In Test mode, no actions are applied, but the actions that you have configured are logged as if they had been applied

    it might not have blocked it but would say its blocked.....
    are you sure this was the issue with SEP only?


  • 10.  RE: Enabling Application and Device Control (Logging Only) Caused Outage at Serveral Customers

    Posted Jan 18, 2010 01:27 PM
    I am very confident that the issue was related to SEP because at both customers we just recently installed it. One on this past Friday and the other on Saturday. One of the machines we had to completely remove SEP to get it back up and running because we did not realize that it had something to do with this policy.