search cancel

Intrusion Prevention blocking does not occur when User Access Control (UAC) is set to default

book

Article ID: 164087

calendar_today

Updated On:

Products

Embedded Security Critical System Protection Data Center Security Server Advanced

Issue/Introduction

You deploy an Intrusion Prevention policy that was tested on a client machine that has User Access Control (UAC) disabled to the host that has (UAC) activated. 

You observe that after accepting the UAC popup, the protected resource is no longer blocked.

Environment

SES CSP 7.0 MP1 installed on Windows 7 Professional SP1 with User Access Control (UAC) set to the default - Notify me only when programs try to make changes to my computer:

 

 

 

Cause

When a desktop user launches a Windows Application such as regedit.exe, the parent process is modified by the UAC from explorer.exe to svchost.exe. The protection rule configured in the Windows Default Services sandbox is not sufficient to protect the child process started by svchost.exe 

Resolution

Modify the prevention policy and add an extra rule for the NETSVC sandbox in order to block regedit.exe from starting.

Attachments