7 Replies Latest reply on Jan 9, 2015 11:45 AM by neelima

    All kinds of App control issues

      I have a few SRs open on app control, but wanted to see if anyone had input hear.  We are testing app control on some end users systems that need a high level of protection.  We see a few issues:

       

        • properly configured updaters still being blocked.  example, we get dozens of events from C:\windows\system32\driverstore directory where most windows services; services.exe, svchost.exe, etc, are getting write denied messages.. hundreds
        • wscript.exe not being allowed, but it's in as an updater
        • Computers with solidcore lock up on shutdown.  They are all running win7 and get to "shutting down" and freeze; put solidcore into update mode, they shutdown fine
        • finally, a few of these systems are having a big issue in that they will lock up after being logged into for a number of minutes consistantly.  Disable Solidcore, and no more problems.

       

      Any thoughts, or input from anyone on this?

        • 1. All kinds of App control issues

          Tony,

           

          Regarding your first issue: Even if you see services.exe/svchost.exe getting write denied message while accessing driverstore, any of thedevice like printers, USB etc. when you connect to the system, are they functioning properly? How about the system behaviour - is it normal?

           

          Wscripts.exe should work. Try also adding wscript to binary list as a hash.

           

          Issue 3 and 4 : I am working with solidcore more than a year, never seen those behaviours. Do you have an encryption s/w installed which controls the screen and system locking?

           

          - AB

          • 2. All kinds of App control issues

            The systems do seem to run properly, other than the lock up issues.  Software doesn't seem to fail at this point.  I haven't really used the binary list at this point, do you use that list a lot?

             

            We do have encryped hard drives in these systems using wavesys software... disk level FDE.  Have you seen that be an issue?

             

            TK

            • 3. Re: All kinds of App control issues
              gearmesh

              Issue number 1:

              Can you verfify what the client considers approved (vs. what is in the console) by using the command line. This will verify the client has the policys

              sadmin updaters list

               

              Issue #2

              We had somthing similar with annother file. I will ask around.

               

              Issue #3

              We have this issue currently as well"

              • Computers with solidcore lock up on shutdown.  They are all running win7 and get to "shutting down" and freeze; put solidcore into update mode, they shutdown fine

               

              Issue #4

              We have heard of this issue but have not been able to recreate it

              • 4. Re: All kinds of App control issues
                meforum

                1st: have you added the pre-defined rules/rule groups that are called sth like "windows system" (or only system? or only windows? not sure so far), windows update, etc? (you can check / modify that groups ba duplicating).

                2nd:  is sth reported in OBSERVE mode that would be blocked? (if yes - create rule / policy from result; if not: maybe its its some script or so on a network share like logon/logoff scrips (you could add this SYSVOL... stuff as a trusted directory)

                • 5. Re: All kinds of App control issues
                  gearmesh

                  Reguarding : "Computers with solidcore lock up on shutdown"

                   

                  What we found was that the Software Deployment app: BigFix/TEM/IEM (what ever you call it this month) stops when it tries to read the file "C:Solidcore\_tdll.dll". Nothing gets displayed on the screen. Any time after that file is read, when a user goes to shutdown, the system will not do it, it hangs.

                   

                  When the file is read, this also stops the besclient.exe from functioning. Besclient is the software deployment agent used by BigFix/TEM/IEM.

                   

                  As best as we can tell the file "C:Solidcore\_tdll.dll" is read as part of an assessment for Microsoft Seecurity Patches by a Bigfix fixlet. A fixlet is a besclient script that can query a system for information.

                   

                  At this time we have opened a case with IBM for BigFix and McAfee for Application Control/Solidcore.

                   

                  These are all the same product. IBM keeps changing the name of it.

                  BigFix

                  Tivoli Endpoint Manager

                  IBM Endpoint Manager

                   

                  Message was edited by: gearmesh on 3/13/14 10:42:49 AM CDT
                  • 6. Re: All kinds of App control issues
                    vaidyanathan

                    Hi,

                     

                    I still have issues with Windows 7 systems where once the systems are solidified (MA 4.8, VSE 8.8 Solidcore 6.1.3)it hangs at "Shutting down" and have to do a hard reboot.

                     

                    Unsolidified systems works fine.

                     

                    Any ideas guys..?

                     

                    Thanks

                    • 7. Re: All kinds of App control issues

                      Tony,Vaidyanath,

                       

                      Issue4, can you provide a dump of the system when you see a hang. That's the fastest way to check where the issue is.

                       

                      Thanks,

                      Neelima