Re: CSA 4.5.1.639 triggering an Alert with IE

kerraj2004 · ‎08-25-2006

Does anyone know why IE keeps trying to perform this action? While searching i get prompts but cant determine what it is doing or if it should be allowed. Any ideas?

The process 'C:\Program Files\Internet Explorer\IEXPLORE.EXE' (as user **/**) attempted to access the registry key '\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Office Word\shell\edit\command', value ''. The attempted access was a write (operation = DELETE/KEY). The user was queried and a 'No' response was received.

joseph.hamilton · ‎08-25-2006

we also had this occur. We had to layer our System Hardening Module for a different issue and since then, the event has not occured. I think our attempt to alleviate this problem was going to be limiting the registry values the Web browser could write to non-system files.

As for the specific one that's coming up, that can be blocked without affecting user performance.

kerraj2004 · ‎08-28-2006

Thanks, glad to hear that someone else had this arise. I just wanted to know what it was doing before I create a rule for it. I did deny 3 other rules and it appears no to have any negitive impact.

joseph.hamilton · ‎08-28-2006

well, the registry key the event refers to basically adds to the "Open With" list for that extension.

That can be done manually, plus even when I allowed it to be written, nothing chnged in the registry.

kerraj2004 · ‎08-30-2006

So, when you created exceptions for and IE did you create denies?

If so, when you create a deny rule can it be stopped from logging on the local machine so that it does not cause the flag to wave and the end users to see??

Thx

tsteger1 · ‎08-30-2006

Deny rules can be set to deny (not strong deny), not log and to take precedence over other deny rules.

That should keep the users from seeing anything.

Tom S

kerraj2004 · ‎09-01-2006

I have set up the deny rule as a "high priority" deny with take precedence over other deny rules checked. This has not stopped the agent from logging this activity. The CSAMC does not log the activity but I cant stop it on the local agent.

tsteger1 · ‎09-02-2006

Change it from 'high priority deny' to 'deny' and it should stop logging at the local agent.

Tom S

kerraj2004 · ‎09-05-2006

The only way to deny these processes is to use HIGH PRIORITY DENY but still unable to stop the logging on the local workstation.

Adam

tsteger1 · ‎09-07-2006

Why won't 'deny' work? Is there another rule that is conflicting?

kerraj2004 · ‎09-08-2006

That is a very good question and I even have the the this rule take precedence over other denies checked.

tsteger1 · ‎09-08-2006

Try changing it to 'deny' not 'priority deny' and see if it still logs at the station.

I believe that precedence only works for the same level of action.

If you have a 'priority deny', it only takes precedence over other 'priority deny' rules. It has no effect on deny rules.

Tom S

RichardSW · ‎09-10-2006

Yea, it has to do with IE referencing the registry for the HTML editor option.

You may have Word set as your html editor in IE. Open IE, go to Tools, Internet Options, Programs tab, change HTML Editor to "Notepad". After you Apply, you'll notice that the Standard Buttons bar will include a notepad icon instead of a Word icon.