Are you getting block messages from AM or is it just not working?
No block messages, however when ACAD goes to verify license, it crashes. When you disable appsense, it runs just fine or if you run as admin.
We have been testing different things, so there are no errors in the audit logs. We also disable McAfee, which we originally thought might be the culprit.
Chances are the hooking is causing the crash. If you don't have any requirements to elevate it or block it then add exceptions for it in the console. Have a look at this article to see how to exclude the processes. Recommended Anti-Virus and AppSense Exclusions
I've seen a couple of cases where AutoCAD crashes with Application Manager installed. However these have been fixed by installing the latest version of Application Control 10.1.
Are you using AmAudit and/or Rules Analyzer (or RALogger, for your sanity) to look at which files AM is denying execution of?
Rules Analyzer is a tool that is built into the Application Control console. It allows you to gather the results of rule processing on an endpoint. So if you're trying to work out why an application isn't working, you would:
- Use the AC Console to enable Rules Analyser (this can be done remotely)
- Recreate the issue on the endpoint
- Stop Rules Analyser
- Review the results within the AC Console
- Update the rules and deploy a new config
- If the application continues to fail, repeat the above until the application is working as expected
The AC Console Rules Analyser tool isn't that great to be fair. There are a lot of "deny" results for Overwrite and Rename operations that don't tend to impact an applications ability to launch. It also has the frustrating feature of taking you back to the top of the list when you've drilled into a result for more details. Because of this there are other Rules Analysers available. Both of these can be found on the AC Home page. Personally I use the AMRAParser, because it parses existing XML files generated using the built in Rules Analyser tool. The RAParser tool is very popular and used by some of our Pro Services guys. Both of these tools have a feature to strip out the noisy events.
Have a quick check on the Rules Analyser section within Raising an Application Control Support Case, it contains a few links. It's all very simple to use, if you just click around in the Console you'll probably get it working without reviewing the guides.
Hooking/detouring is a mechanism for intercepting WinAPI calls. A DLL is injected into the running process that hooks/detours functions as they're called and modifies them if required. There are several hook exceptions and a filter driver exception. These are covered in the AV link Landon has provided.