search cancel

Intrusion Prevention blocking does not occur when User Access Control (UAC) is set to default


Article ID: 164087


Updated On:


Embedded Security Critical System Protection Data Center Security Server Advanced


You deploy an Intrusion Prevention policy that was tested on a client machine that has User Access Control (UAC) disabled to the host that has (UAC) activated. 

You observe that after accepting the UAC popup, the protected resource is no longer blocked.


SES CSP 7.0 MP1 installed on Windows 7 Professional SP1 with User Access Control (UAC) set to the default - Notify me only when programs try to make changes to my computer:





When a desktop user launches a Windows Application such as regedit.exe, the parent process is modified by the UAC from explorer.exe to svchost.exe. The protection rule configured in the Windows Default Services sandbox is not sufficient to protect the child process started by svchost.exe 


Modify the prevention policy and add an extra rule for the NETSVC sandbox in order to block regedit.exe from starting.