01-07-2008 05:53 AM - edited 03-09-2019 07:47 PM
CSA triggers with one of the pre-configured rules, when WgaTray.exe tries to scan a host. WGA is Microsofts Windows Genuine Advantage, which we got with Windows Update some time ago. I could create an exception for that, but what if I'd like the CSA to block it permanently? How can I get rid of the event messages?
I have cloned the rule and changed it, so that it targets WgaTray.exe only. The problem is, even though I unticked the log option, a Terminate Process will create a dump and this results in another entry in the event log.
I then tried to change the action into a simple Deny, but then the original rule triggers first. Any idea what I could do?
Solved! Go to Solution.
01-07-2008 10:04 AM
Hi Oliver,
You are correct that some process terminations will result in dumps and log entries (especially something like WGAtray.exe).
You could exclude wgatray.exe from the terminate process rule and then the deny and not log rule should work as you expect.
What specific rule (type, name and rule module) is generating this alert?
I don't see any alerts on my MC regarding WGAtray but I may not have the same policies applied.
Tom
01-07-2008 07:19 AM
Have you tried to check the "Take precedence over other Priority Terminate rules" option?
I have created an allow exception for this rule, because I know the WGA software can be a real pain if it is not able to funtion. We had experiences with some updates not downloading and applying properly.
HTH
01-07-2008 07:33 AM
Thanks, but that doesn't help. A Deny rule will always be below any Terminate Process rules. I guess a Terminate Process action will always result in a dump and that will prompt a log entry.
01-07-2008 10:04 AM
Hi Oliver,
You are correct that some process terminations will result in dumps and log entries (especially something like WGAtray.exe).
You could exclude wgatray.exe from the terminate process rule and then the deny and not log rule should work as you expect.
What specific rule (type, name and rule module) is generating this alert?
I don't see any alerts on my MC regarding WGAtray but I may not have the same policies applied.
Tom
01-08-2008 03:34 AM
Hi Tom, thanks for the help. Looks like I failed to make the last step.
The rule is a System API control rule (186 in my installation of v5.2), "Network Applications, Access system functions from a buffer". The action is "Query user", defaulting to "Terminate process". This rule is in the "General Application Permissions - all Security Levels" rule module.
Looks good so far. I still need to create a few more Deny rules, now that the process isn't terminated.
01-08-2008 10:58 AM
Nice to hear and glad it worked.
Have fun with it.
Tom
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide