AM Trusted Ownership checking fails even though item is Trusted Owned

Version 1

    Verified Product Versions

    Application Control 8.9Application Control 8.8Application Control 8.7


    In some cases Trusted Ownership checking may legitimately block a file which is owned by a trusted owner. Some of these scenarios are given below, along with how to identify them.


    Application Manager's Trusted Ownership checking will return an untrusted result and block any file if it's unable to check the file's ownership.

    This can occur in a number of scenario but is usually seen in relation to the executables of Anti-Virus vendors as they often set special permissions on these executables to ensure that they cannot be tampered with. If one of these executables launches, Application Manager will try to check the ownership and, being unable to verify it, block the file.

    For example, the following Trend executables commonly produced messages similar to:


    User is not authorized to run PCCNTMON.exe


    User is not authorized to run PCCNTUPDT.exe

    The best way to correct this behaviour in your Application Manager configuration without modifying the permissions on the affected executables (which we do not reccommend) is to add a Trusted Vendor, to the "Everyone" group.

    This is can be spotted in AM logs, just look for lines similar to:


    ERR T002400 542836 17:09:19.803 [CRulesChecker::FileOwnerTrusted] Warning: Could not get file owner SID for c:\program files (x86)\trend micro\officescan client\pccntupd.exe - assume not trusted.