1 Reply Latest reply on Sep 6, 2017 8:50 AM by bretzeli

    Adaptive Threat Protection is preventing apps in observe mode

    bblanchard

      I'm currently running ENS 10.5 (Threat protection, web control and ATP) and ATP is currently configured in observe mode.

       

      I'm using PIA's openvpn client application and ATP is preventing it from operating correctly:

       

      ----

      cmd /c route delete 0.0.0.0 192.168.250.1

      created process

      #<Errno::ECONNREFUSED: No connection could be made because the target machine actively refused it. - connect(2)>

      C:/Users/user/AppData/Local/Temp/ocrD74.tmp/lib/ruby/site_ruby/1.9.1/openvpn_man ager.rb:1210:in `initialize'

      C:/Users/user/AppData/Local/Temp/ocrD74.tmp/lib/ruby/site_ruby/1.9.1/openvpn_man ager.rb:1210:in `open'

      C:/Users/user/AppData/Local/Temp/ocrD74.tmp/lib/ruby/site_ruby/1.9.1/openvpn_man ager.rb:1210:in `block (2 levels) in cmd'

      C:/Users/user/AppData/Local/Temp/ocrD74.tmp/lib/ruby/site_ruby/1.9.1/pia_common. rb:291:in `timeout'

      C:/Users/user/AppData/Local/Temp/ocrD74.tmp/lib/ruby/site_ruby/1.9.1/openvpn_man ager.rb:1209:in `block in cmd'

      ----

       

      According to these logs, something is blocking PIA from configuring the default route during its initialization process.  As soon as i disabled ATP, the VPN connection comes up successfully.

      I can then re-enable ATP and i have no issues afterward.

       

      ENS logs show this:

       

      ---

      01/05/2017 11:33:28.635 AM   mfeatp(4388.1904) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:646): Failed to set new reputation for process C:\WINDOWS\SYSWOW64\ROUTE.EXE, result:0xc0300020

      01/05/2017 11:33:28.678 AM   mfeatp(4388.9244) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:646): Failed to set new reputation for process C:\WINDOWS\SYSWOW64\CMD.EXE, result:0xc0300020

      01/05/2017 11:33:28.882 AM   mfeatp(4388.7824) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:646): Failed to set new reputation for process C:\WINDOWS\SYSWOW64\IPCONFIG.EXE, result:0xc0300020

      01/05/2017 11:33:33.891 AM   mfeatp(4388.1812) <SYSTEM> Orchestrator.JTI.Error (jti_native.cpp:269): Unable to scan object C:\WINDOWS\SYSTEM32\CONHOST.EXE, 0xc0310026

      ---

       

      It seems like ATP tries and fails to  set the reputation for these Windows process which prevents the VPN client to complete its connection.

       

      Since these are signed Windows processed, shouldn't ATP already have the reputation for them?

        • 1. Re: Adaptive Threat Protection is preventing apps in observe mode
          bretzeli

          Hello,

           

          Did you ever this or any similair case. We have the same issue with ENS 10.5.2 and TIE-Server. We currently have 2 cases at development for this issue.

          ame argument from my side this is LOW LEVEL Windows Micorosoft core services like Windows Installer and CMD.exe shell. We asume that those few are hard coded an in memory during runtime for most Windows OS.

           

          If you have any inof please let us know...

           

           

          09/06/2017 08:02:46.101 AM   mfeatp(9884.3092) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:748): Failed to finalize reputation for file C:\WINDOWS\SERVICING\TRUSTEDINSTALLER.EXE. ErrorCode 0xc030002f

          08/31/2017 01:53:12.293 PM   mfeatp(3120.5624) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:748): Failed to finalize reputation for file C:\WINDOWS\SYSTEM32\MSIEXEC.EXE. ErrorCode 0xc030002f

          08/31/2017 01:53:12.497 PM   mfeatp(3120.5624) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:748): Failed to finalize reputation for file C:\WINDOWS\SYSWOW64\MSIEXEC.EXE. ErrorCode 0xc030002f

          08/31/2017 01:53:26.668 PM   mfeatp(3120.5624) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:748): Failed to finalize reputation for file C:\WINDOWS\SYSWOW64\MSIEXEC.EXE. ErrorCode 0xc030002f

          08/31/2017 01:53:37.248 PM   mfeatp(3120.5624) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:748): Failed to finalize reputation for file C:\WINDOWS\SYSWOW64\MSIEXEC.EXE. ErrorCode 0xc030002f

          08/29/2017 12:40:52.139 PM   mfeesp(2948.5820) <SYSTEM> ApBl.AP.Error (XModule.cpp:67): Open existing file LastErr 0x00000020 Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.

          08/29/2017 12:45:05.208 PM   mfeatp(3196.5364) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file C:\WINDOWS\SYSTEM32\CMD.EXE. ErrorCode 0xc030002f

          08/29/2017 12:49:22.309 PM   McTray(1228.4684) <win7> McTray.McTrayUPC.Error (dllmain.cpp:1418): GetProperties failed for Firewall State with error = 0x80000101

          08/29/2017 12:49:34.596 PM   mfeatp(3196.5364) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file C:\WINDOWS\SYSTEM32\CMD.EXE. ErrorCode 0xc030002f

          08/29/2017 12:51:37.692 PM   mfeatp(3196.5364) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file C:\WINDOWS\SYSTEM32\CMD.EXE. ErrorCode 0xc030002f

          08/29/2017 12:52:37.797 PM   McTray(1228.4684) <win7> McTray.McTrayUPC.Error (dllmain.cpp:1418): GetProperties failed for Firewall State with error = 0x80000101

          08/29/2017 12:52:49.509 PM   McTray(1228.4684) <win7> McTray.McTrayUPC.Error (dllmain.cpp:1418): GetProperties failed for Firewall State with error = 0x80000101

          08/29/2017 12:53:01.348 PM   mfeesp(2948.4432) <SYSTEM> Logger.LOGGER.Error (loggerbl.cpp:707): Failed to set path (C:\%DEFLOGDIR%\AccessProtection_Activity.log) for AccessProtection_Activity

          08/29/2017 12:53:01.350 PM   mfeesp(2948.2112) <SYSTEM> LPC.CommonLPC.Error (common_policy_enforcement.cpp:625): BLSetPropertiesEx failed for property logpath,retval = -1072431103

          08/29/2017 12:58:33.507 PM   mfeatp(3196.5364) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file C:\WINDOWS\SYSTEM32\NOTEPAD.EXE. ErrorCode 0xc030002f