ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Critical System Protection - Data Center Security Intrusion Prevention System Policy fine tuning

book

Article ID: 169942

calendar_today

Updated On:

Products

Data Center Security Server

Issue/Introduction

A quick reference guide used to fine tune a Policy by viewing a direct Event that is in the Denied disposition, as well as updating Sandbox Events based upon Violations.

Environment

Data Center Security Java Console

Resolution

1. Please reproduce the issue and observe the Events directly on the Agent in the Event Viewer, in the Java Console or in UMC. Please find Events showing that the specific action has been denied. In the Event Details you will see Disposition Denied like in the example below:

EVENT DETAILS

Description Registry Write Denied for WSQMCONS.EXE on \REGISTRY\MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters
Policy Name sym_win_HyperV_DCSA_Prevention
Internal Rule OV:r1
Process C:\WINDOWS\SYSTEM32\WSQMCONS.EXE
Registry Key \REGISTRY\MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters
Agent State Windows Service Process/Sub-Process
Disposition Denied
Sandbox basic_ps
Operation NtOpenKey
OS Result ffffffff
SDCSS Result C0000022 (ACCESS_DENIED)
Permissions Requested 000F001F (delete, read_control, write_dac, write_owner, query_value, set_value, create_sub_key, enum_sub_keys, notify)
Process ID 26964
Thread ID 27044
Process Signature Microsoft OS Component (000b9037)
Module Signature Unsigned (00000000)

2. Please take a note of the SandBox, Process or Registry Key involved depending on the Event content:

C:\WINDOWS\SYSTEM32\WSQMCONS.EXE

\REGISTRY\MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters

Sandbox basic_ps


3. Edit the Policy and click on Advanced and check "Show options normally hidden in the Policy".

4. Depending on the content of the Event and the goal you want to achieve, select specific option in Policy Settings and add the rule allowing the problematic process to run.

Additional Information

Note: Depending on the IPS Policy (See a comprehensive list below), you may also add violation Events in a given Sandbox with "Update Sandboxes from Violation Events":

  1. Edit the Policy
  2. Click Advanced in the lower-right corner
  3. Click on "update Sandboxes from Violation Events" which is effective while profiling with Log but do not Deny
  4. Retrieve violations from a custom date range
  5. Next
  6. Select the Event(s) in question and Next
  7. Confirm and Add and update the Policy as necessary and locate the Sandbox where they have been updated to now see their proper format within the Policy

Policy examples with this feature include:

  • sym_win_app_control
  • sym_win_basic
  • sym_win_domain_controller_workload
  • sym_win_entry_point_protection
  • sym_win_exchange_workload
  • sym_win_hardened
  • sym_win_iexplore_workload
  • sym_win_iis_workload
  • sym_win_msoffice_workload
  • sym_win_mssqlsrv_workload
  • sym_win_oracledb_workload
  • sym_win_outlook_workload
  • sym_win_sdcss_manager_workload