4 Replies Latest reply on Feb 13, 2018 5:04 AM by Carsten.Hopp

    Deny rule is allowed?!

    Carsten.Hopp Rookie

      Hi!

       

      We run AppSense Application Manager 8.8 SP1 since many years. Lately I tested several connections and I found out that all internet connections are allowed even though they should be denied! In Everyone we have a Network Connection Item which denies *.*.*.*. Then we have an Allow rule which allows several specific network connections. Now, when trying to access a denied network connection I receive this in the Rules Analyzer:

       

       

       

      Means, the network item is in prohibited items list (that´s correct) but there is an ALLOW. Why?? This is very confusing and not logical at all.

       

      Further testing reveals that RDP and other ports are correctly denied. Only internet ports like 80,443 and 22 are allowed. So strange!

        • 1. Re: Deny rule is allowed?!
          timothyb SupportEmployee

          There might be a few things worth testing:

           

          • Are other rules working?  For example is regedt32.exe still denied for standard users?  Are any of your other deny rules working?  If not it's probably worth checking that your license is up to date.
          • Does the user fall into any group where the security slider is set to unrestricted?  The least restrictive policy wins in that case.
          • Does the user fall into any groups or rules where there is any allow?  Again least restrictive wins.
          • 2. Re: Deny rule is allowed?!
            Carsten.Hopp Rookie
            • Are other rules working?  For example is regedt32.exe still denied for standard users?  Are any of your other deny rules working?  If not it's probably worth checking that your license is up to date.

                   Everything else is working. All other rules are working. What does it have to do with licenses???

            • Does the user fall into any group where the security slider is set to unrestricted?  The least restrictive policy wins in that case.

                    No

            • Does the user fall into any groups or rules where there is any allow?  Again least restrictive wins.

                    No

             

             

            As written above: Everything seems okay. User is in Everyone-Rule and all other stuff is handled correctly. We have no allow for default ports 80 or 443 but only these ports are allowed even though *.*.*.* is denied.

            • 3. Re: Deny rule is allowed?!
              timothyb SupportEmployee

              If the license isn't valid, the Agent doesn't process the rules.  Because I've been caught out by this a couple of times in the past when troubleshooting issues in my own lab, if something isn't working as expected I usually do a quick check and ensure regedt32.exe is being blocked (assuming I have that rule enabled).

               

              I would initially consider some initial isolation testing:

               

              • Did the rule ever work?
              • Does the issue impact just this workstation/users or are other workstations/users affected?
              • Is it just one application that is impacted?
              • Check if the hook is getting into the impacted application(s), there might an issue loading the hook into processes and it's the filter driver that is now doing all of the blocking (although given that we can see the rule, suggests that this is not the case).  It's still worth being aware of this as a troubleshooting step.
                • Run SysInternals Process Explorer.
                • Find the process within the process tree
                • Press "CTRL+D" to show DLLs in the lower pane.
                • Look for the AppSense/Ivanti (depending on version) Application Control/Manager hook (AMAppHook.dll)
              • Check some of the basics within the config, such as is "Enable Application Network Access Control" enabled.  In latest version of the software this is under the Manage Tab -> Advanced Settings -> Policy Settings tab -> Functionality section.  However although it's always been under this functionality section, how you get to Advanced Settings has changed over versions.
              • Put endpoint in a test Deployment group.  I've just posted some suggested steps in this post: Replace rule
              • Create a new config that just has this network rule in place.
                • Confirm if the rule works.
                • If the rule does work if would suggest either a configuration issue or a combination of configurations items that might be resulting in a bug.

               

              If you do get the rule working.  It might be worth running Rules Analyzer on the workstations for a short while to check what network items are being denied.  I've seen rules like this put in place and they can have unintended impacts such as PIPE connections both locally and also remotely.

              • 4. Re: Deny rule is allowed?!
                Carsten.Hopp Rookie

                We created another rule which overwrites the Everyone and now it works.