3 Replies Latest reply on Apr 23, 2018 2:22 AM by timothyb

    AC 10.1 FR3 - Rules Analyzer - Type overwrite-if missing

    Mario.Istuk Apprentice

      Hi @all,

       

      seems that the type "overwrite-if" in the Rules Analyzer for blocked items is removed oder missing.

       

      Is there any known issue or bug, that this value is not shown anymore?

       

      Application Control 8.6 (type exist)

      Application Control 10.1 FR3 (type missing)

       

      AM_8_6_Overwrite_if_-_Posteingang.png

        • 1. Re: AC 10.1 FR3 - Rules Analyzer - Type overwrite-if missing
          timothyb SupportEmployee

          I'm not aware of any issues that would result in the Overwrite and Overwrite-If not appearing.  I would check within your config that you still have Overwrite and Rename operations checked (Global Settings -> Trusted Owners -> Change a file's ownership when it is overwritten or renamed).

           

          These checks are performed by the filter driver.  To check the filter driver is running:

           

          - Launch an elevated cmd.exe

          - Run fltmc

          - Look for the AMFileSystemFilter if running AC 10.1+

          • 2. Re: AC 10.1 FR3 - Rules Analyzer - Type overwrite-if missing
            Mario.Istuk Apprentice

            Thanks for your reply.

             

            Advanced Settings --> Change a files ownership when it is overwritten or renamed --> already enabled (default)

             

            run elevated cmd.exe

            fltmc --> AMFileSystemFilter Version 10.1.423.0

             

            In Rules Analyzer:

            AC Agent 10.1 FR3 --> Type "empty"

            AM Agent 8.6 --> Type "owerwrite-if"

            • 3. Re: AC 10.1 FR3 - Rules Analyzer - Type overwrite-if missing
              timothyb SupportEmployee

              OK, so it's not that the record is missing but the "Type" field is blank.

               

              It would probably be worth reviewing the XML file that is created on the endpoint to see if the Type field is present.  After enabling logging, this is located in the following path:

               

              c:\ProgramData\AppSense\Application Manager\Rules Analyzer\RulesAnalyzerLog.xml

               

              Enable logging and try and recreate an Overwrite and Rename operations.  Just in case there is any caching before writing the data to the file, give it a short while before copying the file to another location.  When you disable logging this file is deleted, so you will need to copy the file before disabling logging.

               

              Try and find one of the example elements with the missing Type field and post it here, I'll have a quick compare against my lab.

               

              In order to recreate an Overwrite or a Rename, I believe that you need to try and overwrite or rename a file that is not owned by your user account.  I don't believe that the filter driver will pick up an attempt if it's owned by your user account as there would be little point.  It might be better to simply set the owner of the file to the builtin\administrator account, just to make sure.  I suspect that a rename would be easy to recreate using Explorer.  An overwrite by copying and pasting a file with the same name might not be as simple.  This could be down to the behaviour of the software, so that might result in a delete of the original file and a write of the new file.  To recreate an overwrite you might need to edit the file but again this might be dependent upon the behaviour of the text editor.  If you know Overwrite operations are being created in your AM 8.6 environment, it might be easier to try and recreate using that method.