CSP - DCS IPS Policy fine tuning

book

Article ID: 169942

calendar_today

Updated On:

Products

Data Center Security Server

Resolution

1. Please reproduce the issue and observe the Events directly on the Agent in the Event Viewer, in the Java Console or in UMC. Please find Events showing that the specific action has been denied. In the Event Details you will see Disposition Denied like in the example below:

EVENT DETAILS

Description Registry Write Denied for WSQMCONS.EXE on \REGISTRY\MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters
Policy Name sym_win_HyperV_DCSA_Prevention
Internal Rule OV:r1
Process C:\WINDOWS\SYSTEM32\WSQMCONS.EXE
Registry Key \REGISTRY\MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters
Agent State Windows Service Process/Sub-Process
Disposition Denied
Sandbox basic_ps
Operation NtOpenKey
OS Result ffffffff
SDCSS Result C0000022 (ACCESS_DENIED)
Permissions Requested 000F001F (delete, read_control, write_dac, write_owner, query_value, set_value, create_sub_key, enum_sub_keys, notify)
Process ID 26964
Thread ID 27044
Process Signature Microsoft OS Component (000b9037)
Module Signature Unsigned (00000000)

2. Please take a note of the SandBox, Process or Registry Key involved depending on the Event content:

C:\WINDOWS\SYSTEM32\WSQMCONS.EXE

\REGISTRY\MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters

Sandbox basic_ps


3. Edit the Policy and click on Advanced and check "Show options normally hidden in the Policy".

4. Depending on the content of the Event and the goal you want to achieve, select specific option in Policy Settings and add the rule allowing the problematic process to run.