Getting a file block from our Bit9 client. conf_processes.exe is trying to run nimbus_aes.dll
search cancel

Getting a file block from our Bit9 client. conf_processes.exe is trying to run nimbus_aes.dll

book

Article ID: 388359

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM) CA Unified Infrastructure Management On-Premise (Nimsoft / UIM) CA Unified Infrastructure Management SaaS (Nimsoft / UIM)

Issue/Introduction

"Bit9 blocked an attempt by conf_processes.exe to run nimbus_aes.dll on XXXXXXXX because the file is not approved software."

Files:
c:\users\xxxxxxxx\appdata\local\temp\4\util\conf_processes.exe

is trying to run:

c:\users\xxxxxxxx\appdata\local\temp\4\util\nimbus_aes.dll

This is happening on one of our hubs.  We haven't updated anything on the hub recently, and only started getting these blocks yesterday.

Please provide some context as to what these files are, and why the conf_processes.exe is calling the nimbus_aes.dll?  We need some background to justify allowing this, for our security team.

Environment

  • DX UIM 20.4 or higher

Cause

  • Bit9 security scan/blocking

Resolution

  • conf_<probe_name>.exe files and why the conf_processes.exe is calls the nimbus_aes.dll?

  • conf_<probe_name>.exe's is for the IM configuration GUI to open and it calls nimbus_aes.dll.

  • The conf_processes.exe is calling the nimbus_aes.dll because the probe configuration GUIs handle encryption of passwords and related functions. nimbus_aes.dll is basically an encryption library.

  • We have seen this before with other conf_<probe_name>.exe's being picked up from time-to-time by Anti-virus/Malware scans.


Disable Anti-Virus


During installation/upgrades, ask the Security team to temporarily disable any/all Anti-Virus as this may interfere with the installation/upgrade process.
 
This includes and extends to any/all security applications installed locally on the Windows, Linux or UNIX server that may interfere through blocking, filtering, or even the need for proactive ‘whitelisting’ of DX UIM components, connections or message traffic.
 
Any/all Anti-Virus/Security software MUST be disabled on the Primary hub before proceeding otherwise you may experience unforeseen issues due to some form of interference, such as blocking, filtering, malware blocking-prevention, false-positive malware detection, traffic filtering, e.g., from applications such as Carbon Black, CrowdStrike, Symantec Endpoint Protection, Kaspersky, McAfee, Bit9, etc.
 
If the antivirus application cannot be disabled, then you MUST ensure that the installer application and ALL Nimsoft programs, directories/files are completely excluded from blocking, scanning, filtering, etc., before and during the upgrade. After the upgrade is complete, normally you can re-enable Anti-Virus but the exceptions must remain in place for the programs to run totally unabated.

If you have not excluded UIM/OC from security software or Anti-Virus applications that can end up blocking/filtering applications/ports/protocols/connections, and it may also happen at a time when you don’t expect it, even when simply opening a GUI window. In that case, you may have to reach out to your Security team, there may be delays in obtaining a response and this may interfere with the progress of your install, upgrade or monitoring.