Critical System Protection - Data Center Security Intrusion Prevention System Policy fine tuning
search cancel

Critical System Protection - Data Center Security Intrusion Prevention System Policy fine tuning


Article ID: 169942


Updated On:


Data Center Security Server


A quick reference guide used to fine tune a Policy by viewing a direct Event that is in the Denied disposition, as well as updating Sandbox Events based upon Violations.


Data Center Security Java Console


1. Please reproduce the issue and observe the Events directly on the Agent in the Event Viewer, in the Java Console or in UMC. Please find Events showing that the specific action has been denied. In the Event Details you will see Disposition Denied like in the example below:


Description Registry Write Denied for WSQMCONS.EXE on \REGISTRY\MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters
Policy Name sym_win_HyperV_DCSA_Prevention
Internal Rule OV:r1
Registry Key \REGISTRY\MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters
Agent State Windows Service Process/Sub-Process
Disposition Denied
Sandbox basic_ps
Operation NtOpenKey
OS Result ffffffff
Permissions Requested 000F001F (delete, read_control, write_dac, write_owner, query_value, set_value, create_sub_key, enum_sub_keys, notify)
Process ID 26964
Thread ID 27044
Process Signature Microsoft OS Component (000b9037)
Module Signature Unsigned (00000000)

2. Please take a note of the SandBox, Process or Registry Key involved depending on the Event content:



Sandbox basic_ps

3. Edit the Policy and click on Advanced and check "Show options normally hidden in the Policy".

4. Depending on the content of the Event and the goal you want to achieve, select specific option in Policy Settings and add the rule allowing the problematic process to run.

Additional Information

Note: Depending on the IPS Policy (See a comprehensive list below), you may also add violation Events in a given Sandbox with "Update Sandboxes from Violation Events":

  1. Edit the Policy
  2. Click Advanced in the lower-right corner
  3. Click on "update Sandboxes from Violation Events" which is effective while profiling with Log but do not Deny
  4. Retrieve violations from a custom date range
  5. Next
  6. Select the Event(s) in question and Next
  7. Confirm and Add and update the Policy as necessary and locate the Sandbox where they have been updated to now see their proper format within the Policy

Policy examples with this feature include:

  • sym_win_app_control
  • sym_win_basic
  • sym_win_domain_controller_workload
  • sym_win_entry_point_protection
  • sym_win_exchange_workload
  • sym_win_hardened
  • sym_win_iexplore_workload
  • sym_win_iis_workload
  • sym_win_msoffice_workload
  • sym_win_mssqlsrv_workload
  • sym_win_oracledb_workload
  • sym_win_outlook_workload
  • sym_win_sdcss_manager_workload