2 Replies Latest reply on Apr 4, 2018 5:23 PM by yashikor

    Appsense blocking Starlims

    yashikor Apprentice

      I pushed a new configuration today in which I set all rules to restricted and re-enabled APPLICATION ACCESS CONTROL.

       

      Just when I thought I had it, one application decided to crash. This is an application that starts from a server but uses Internet Explorer.

       

      I have a process rule in place in which iexplore.exe is in the root node and I have a bunch of DLL's in allowed (see screen shots). I have included a sample from the RA as well (see screen shots)

       

      appsense4.JPG

       

      appsense2.JPG

      appsense3.JPG

        • 1. Re: Appsense blocking Starlims
          Fordo Apprentice

          The truncated Rules Analyzer screenshot make it hard to understand what's going on. I take it you do have a rule for icsharpcode.sharpziplib.dll - the file that's listed many times in the second two screenshots?

           

          If Rules Analyzer is reporting any denied executions (not Overwrite-If and other fluff) then you're missing rules. RALogger makes it somewhat easier to spot this as it filters on denies and common file types by default, and lets you preview and refresh the results without stopping rules analysis on the remote machine.

           

          Your ruleset could probably be simplified - and arguably made more robust through changing it to something like:

           

          %localappdata%\assembly\dl3\*\*\*\star*.dll

          %localappdata%\assembly\dl3\*\*\*\janus*.dll

           

          etc. - maybe with some metadata common to those files.

           

          Also I'm not sure why iexplore.exe is listed in that first screenshot. If that's a set of allowed files for parent process iexplore.exe then IE can launch any file called iexplore.exe (regardless of whether that file is actually MS IE).

          • 2. Re: Appsense blocking Starlims
            yashikor Apprentice

            "The truncated Rules Analyzer screenshot make it hard to understand what's going on. I take it you do have a rule for icsharpcode.sharpziplib.dll "

             

            My apology for the chopped screenshots.  Basically in the first one you see the full path and in the second you see it calling 'iexplore.exe'. This repeats over and over again, therefore I grabbed a small chunk.

             

            I don't have a rule setup for icsharpcode.sharpziplib.dll. This was one of the first rules I created without real knowledge (still need much more).

             

            We put 'iexplore.exe' in the root node and figured might be a good idea to add into allowed also.