SCSP Not selecting sigflags value for a sandbox execution options list of services that may not run results in Q01 service flag sigflags attribute being dropped from minus file.

book

Article ID: 158997

calendar_today

Updated On:

Products

Critical System Protection Client Edition Data Center Security Server Advanced

Issue/Introduction

Not selecting sigflags value for a sandbox execution options list of services
that may not run results in Q01 service flag sigflags attribute being dropped
from minus file.

1. Create a 6.0 policy with strategy=basic
2. Edit the policy
3. Click Advanced option
4. Under Advanced Policy Settings, click Sandboxes
5. Scroll down to the "Fully Open Sandbox" and click Edit
6. Under Sandbox Execution Options, check the Edit box next to "Programs the
Fully Open Services may not run" and click Edit
7. Click Add
8. Enter C:\test.exe for Program Path
9. Leave Signature Flag blank
10. Enter NoRunRuleName for Rule Name
11. Click OK
12. Save the policy
13. Apply the policy to an agent

Expected Result:

Minus file should contain sigflags value containing value for service flag (Q01)

Actual result:

sigflags attribute is missing:

    <psetdef name="fullopen_ps">
      <usebcd bcd="sym_win_prot_fullopen_bcd"/>
      <create log="off" profile="off"/>
      <assign cmdline="on" log="on" profile="off" severity="I"/>
      <destroy log="off" profile="off"/>
      <execute log="off" profile="off" response="allow"/>
      <newproc>
        <map pset="deny_ps" ruleid="e.NoRunRuleName">
          <attr string="\??\C:\test.exe" type="path"/>
        </map>

 

Below is the corresponding portion of the Minus file where the sigflags=Q01
entry is missing:

   <string id="1536" type="path" value="\??\C:\test.exe"/>

    <psetdef name="fullopen_ps">
      <usebcd bcd="sym_win_prot_fullopen_bcd"/>
      <create log="off" profile="off"/>
      <assign cmdline="on" log="on" profile="off" severity="I"/>
      <destroy log="off" profile="off"/>
      <execute log="off" profile="off" response="allow"/>
      <newproc>
        <map pset="deny_ps" ruleid="e.NoRunRuleName">
          <attr string="1536" type="path"/>   ---> sigflags attribute is missing
        </map>

Resolution

This is still an open Deffect and we will update this KB once we have a work around or a solution for this issue.