Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
400
Views
0
Helpful
2
Replies

Patchlink CSA configuration

bmichalek
Level 1
Level 1

‎12-09-2004 02:00 PM - edited ‎03-09-2019 09:43 AM

OK, my client is using Patchlink to roll out patches. The patches seem to be downloaded to C:\windows\temp\XXXXX.XXX

The trojan detection rule kicks off the following every time:

The program 'C:\WINDOWS\Temp\IE6.0sp1-KB889293-Windows-2000-XP-x86-ENU.exe' was recently downloaded and attempted to execute. The user was queried whether to allow this operation. The user chose 'Terminate'

This happens at night so users choosing yes is not an option. I have created every kind of application class rule I can think of and even used the wizard to put the exact file name and path into the application set to be excluded. No luck at all and I still get the same message every time. It seems to be ignoring the exclusion completely.

Any ideas?

Labels:
0 Helpful
2 Replies 2

nkhawaja
Cisco Employee
Cisco Employee

‎12-10-2004 02:13 PM

Hi,

FYI,

If you see a message similar to this:

The program 'C:\Program <file:///C:/Program>

Files\CA\Common\ScanEngine\Incoming\iv_nt86.exe' was recently downloaded

and attempted to execute. The user was queried whether to allow this

operation. The user chose 'Terminate (as default)'

and you want to exclude the application that did the downloading from the Trojan Detection Rule, there are some steps you must do.

The exclusion in the Trojan Detection rule is for the application that actually did the downloading - NOT the actual downloaded file. The message says that iv_nt86.exe was recently downloaded. Therefore, the

file that was downloaded is iv_nt86.exe. We do not know what actually did the downloading in this instance most likely because the process was

terminated before we could find out. To find out which application did the downloading, set up a File Monitor Rule where the application class is "all applications" that attempt to "read and write" the file

"iv_nt86.exe" (no quotes around these values). Then once this file is

accessed, you will see in the event log which application is doing the downloading of the file. Then exclude that application that downloaded iv_nt86.exe in the Trojan Detection Rule.

Thanks

Nadeem

0 Helpful

bmichalek
Level 1
Level 1
In response to nkhawaja

‎12-10-2004 04:44 PM

Thanks, I had got it. I thought that I had already gotten the culprit downloader (gravitx.exe) in that rule but I got app classes confused.

What was weird to me is the fact that the event wizard was able to generate a completely useless rule. Kinda threw me off.

0 Helpful
Customers Also Viewed These Support Documents