topic Re: CSA MC 51 in Network Security

CSA MC 51

pemasirid — Sun, 10 Mar 2019 10:51:37 GMT

Hi,

We have CSA MC 5.1 runing and want to denay all spyware and some network access (snipping,icmp) to deny. I created customs Policies with rule modules for Application Install and network access and given Prioty Deny as Action but still I can install applications but i can't uninstall them.

Please advise how to create a rule and deny Install/access/ some applications.

Thanks

Re: CSA MC 51

tsteger1 — Mon, 05 Nov 2007 17:41:53 GMT

The Network Access Control rules should be fairly straightforward.

How is your application install deny rule configured? That one is trickier.

You should enable logging and test *only* those rules on a host and see if they work.

Tom

Re: CSA MC 51

pemasirid — Mon, 05 Nov 2007 19:56:40 GMT

Hi Tom,

Many thanks for prompt reply. Having deny rules configured I tried to install Googletalk and it worked, apparently I was not able to uninstall the same.That's way I wonder how it installed?.

I only custormized Install Application rule module and Network access rule module and put them in new policy. The Group which host was associated is neither Test nor Learn mode.

Attached is the logs I found in my SCA MC.

All I need to block any spayware applications and deny icmp,port scan applications. Kindly advise me the procedure.

I would appreciate if you can advise me the steps in order to do the above tasks.

Many thanks.

Re: CSA MC 51

tsteger1 — Tue, 06 Nov 2007 00:39:12 GMT

Do you have a written policy that forbids users to install unauthorized software?

I ask because your example is not spyware, it's a chat program that users must install or access through a browser.

Blocking ICMP and port scanning can be done with the System Hardening and Personal Firewall Modules.

Identifying and blocking specific spyware with CSA is difficult to do and keep it up to date.

CSA is better for protecting machines from the undesirable side effects of spyware.

IMHO it's better to deploy an AV/AntiSpyware package to protect and clean.

If you want to track or block specific applications, you can do that with file access control rules using the filenames associated with the package.

For this particular app, you could block googletalk-setup.exe and all .exe's in the google talk folder.

Enterprising users could find ways around this but if you have written policy to back it up, they might be less inclined to try.

Tom

Re: CSA MC 51

pemasirid — Tue, 06 Nov 2007 05:52:41 GMT

Hi Tom,

Many thanks for your reply.

I do not have written policy to forbids install unauthorized software. I only did copying Install Application rule modules and made Action as Priority Deny.

Could you please tell me the steps how to block installing any unthorized softwares ?.

I will try blocking ICMP and port scanning with the System Hardening & Personal Firewall modules.

Thanks

Re: CSA MC 51

tsteger1 — Tue, 06 Nov 2007 21:01:44 GMT

Pemasiri,

I don't want to suggest anything too broad because I don't know what your environment is.

I'm not sure which Application Install module you used so I can't tell you why it doesn't work.

It looks like the rule queries a user when desktop interface applications invoke executables.

It also looks like you denied that ability to answer a queries so it takes the default action.

You should check your agent UI or users states.

You can use the method in my previous post with file access controls to block specific applications or deny installs with group policies.

Tom

Re: CSA MC 51

pemasirid — Wed, 07 Nov 2007 12:31:21 GMT

Hi Tom,

Thanks for your reply.

We use this CSA5.1 in our company mostly for Windows Desktop and Servers. Also we are planning to have different groups according to our nature of business.

Application Controll module, Application Access and Network Access modules and its rules I configured are attached here for your references.I can see some counts under Events colums like 21 (0) but don't know how & why its.

I have not configured denying any quries answered by users & infact I did not get that queries.

All I need is to block/deny installing any software and deny ICMP,port scanning application to run on my network by the users.

Kindly tell me how to do the above needful.

Thanks in advance.

Re: CSA MC 51

pemasirid — Wed, 07 Nov 2007 12:35:55 GMT

hi Tom,

Here is the attachement again with configured rules.

thanks

Re: CSA MC 51

tsteger1 — Wed, 07 Nov 2007 19:35:58 GMT

Pemasiri,

The event columns show the total number of events for the rule and all events in the last 24 hours in parentheses.

The reason you haven't seen queries is because you (the administrator) have prohibited user interaction.

Look at the first screenshot you posted (Nov 5) and you'll see where queries are answered with the default "no" because of this.

You need to enable the Agent UI and isolate the rules you want to test to make sure there are no others stepping on them.

Honestly, I can't really tell you more than that about how to do this.

Sorry,

Tom

Re: CSA MC 51

pemasirid — Sun, 11 Nov 2007 10:42:33 GMT

Hi Tom,

Sorry to troubling you. My problem is still the same inspite your advices.

I made changes to a File access controll rule module and add File set Instant messanger executables and add googletalk-setup.exe in same set (see attached) but even then I could install googletalk by Allowing the user query. But I do not need any user queries while installing any applications. I have made those fille access rules action as "Deny" not "Querry user" but I dont know why still getting that.

When i check my logs I can see all those actions have appeared as "Operation was denied" but i was able to install the same.

Also I copied Personnel Firewall module and System hardening modules and made most of network/system access rules as "Deny" but I still can do ICMP.

In brief all I want to do is disallow any unauthorized software installaing, ICMP and any portscanning software to run by my company uers.

Please advise how to do that.

Re: CSA MC 51

pmccubbin — Sun, 11 Nov 2007 13:15:00 GMT

Hi Tom,

You are the Man! By simply reading through your attempts to troubleshoot this problem from halfway around the world I learned quite a bit. I rated it a 5+.

Keep up the good work! If you ever want to become a consultant and do this sort of work full time please let me know.

Best,

Paul

Re: CSA MC 51

tsteger1 — Tue, 13 Nov 2007 19:05:41 GMT

Hi Pemasiri,

I have good news and bad news...

First the good news,

The googletalk install rule could work as a deny instead of a query but you need to find the rule (using the specific event) and change it.

Now the bad news...

The other rules in your screenshots will deny many MS installs but have never been triggered probably because there are other allow rules superceding them.

If these rules ever do take effect, you won't be able to do MS updates and a lot of other things because you denied access to all files.

My suggestion would be to take a step back, take a deep breath and either try to undo all the changes you've made and start again or install a test MC in order to figure all this out.

There is a way to do this but I'm afraid the rules are a bit confused now.

Good luck, Tom

Re: CSA MC 51

tsteger1 — Wed, 14 Nov 2007 00:16:28 GMT

Hi Paul, thanks for the kind words and rating.

I will certainly keep this in mind if I decide to pursue a new career path.

Tom