AM Trusted Ownership checking fails even though item is Trusted Owned

Version 1

    Verified Product Versions

    AppSense Application Manager 8.9AppSense Application Manager 8.8AppSense Application Manager 8.7

    Introduction

    In some cases Trusted Ownership checking may legitimately block a file which is owned by a trusted owner. Some of these scenarios are given below, along with how to identify them.

    Detail

    Application Manager's Trusted Ownership checking will return an untrusted result and block any file if it's unable to check the file's ownership.

    This can occur in a number of scenario but is usually seen in relation to the executables of Anti-Virus vendors as they often set special permissions on these executables to ensure that they cannot be tampered with. If one of these executables launches, Application Manager will try to check the ownership and, being unable to verify it, block the file.

    For example, the following Trend executables commonly produced messages similar to:

     

    User is not authorized to run PCCNTMON.exe

     

    User is not authorized to run PCCNTUPDT.exe

    The best way to correct this behaviour in your Application Manager configuration without modifying the permissions on the affected executables (which we do not reccommend) is to add a Trusted Vendor, to the "Everyone" group.

    This is can be spotted in AM logs, just look for lines similar to:

     

    ERR T002400 542836 17:09:19.803 [CRulesChecker::FileOwnerTrusted] Warning: Could not get file owner SID for c:\program files (x86)\trend micro\officescan client\pccntupd.exe - assume not trusted.