User tried to test for PROGRAM class rule. But it does not work on it. And also, audit log is not recorded access event. Rules: setoptions class+(PROGRAM) er PROGRAM ('C:\Windows\System32\notepad.exe') owner(nobody) defacc(none) blockrun- audit(a) authorize PROGRAM ('C:\Windows\System32\notepad.exe') access(EXECUTE) uid('hostname\\Administrator') The rule is affected on another server which is running on 2012 R2.
Environment
OS: Windows Server 2016 Prod: CA Privileged Access Manager r14.0 CR1 for Endpoint
Cause
I compared setting on normal and problematic server. Then I found FILE class is disabled at the problematic server. When I check behavior with tracer's log, PROGRAM class check is triggered by FILE access. It is not caused by difference between OS and PIM/PAMSC version.