White List - application control

Hi,

is there any way to add to the white list an applications which is not stored in Windows directory?

For example Internet Explorer. I want to avoid situations where iexplorer.exe is blocked every time after sending a new update.
I'm using Policy Manager 9 with "Deny" option set under Application Control tab. 

and second question concerning Application control tab. Is it possible to check the time when new exe file show up under "Unknown applications reported by host"?

Best Answer

Comments

  • SiltanenSiltanen Posts: 108 Former F-Secure Employee

    Hello Kallstrom,

     

    It's not possible to add any applications to the application control whitelist residing outside the Windows directory.

     

    When using the "deny" as a default action for outbound/inbound connections for unknown applications in application control it's strongly advised to have a few computers in a piloting group where you could roll-out new applications and updates prior to rolling them out for the whole domain. This way you'd have enough time to allow these applications.

     

    There's no "arrival" or "first seen" date available in Policy Manager console regarding the new binaries under "Application Control Rules".

    kallstrom
  • kallstromkallstrom Posts: 25

    Thanks

     

    "arrival" date for application control would be a nice addition, hope to see this in future versions of PMS

  • MJ-perCompMJ-perComp Posts: 1,098 Superuser

    Hi,

     

    if IE is blocked every time you get an update for it, F-Secure is not configured correctly.

     

    Please run ORSPDIAG and post the last 20 Lines of the output. Without ORSP-Connection you can not solve the problem.

     

    Also it might help to clear the local list on the hosts because in rare ocasion it might get stuck. Please ask support for "AC-Clear.jar"

     

    BR

  • kallstromkallstrom Posts: 25

    by saying "every time" I mean that IE is blocked every time I send an update which change the version of IE so that is correct (?)

  • MJ-perCompMJ-perComp Posts: 1,098 Superuser

    This should not happen.

     

    IE is a well know application and the ORSP network should automatically confirm that the update is OK.

     

    Please remove all IE entries from the AC-List in the PMC and also clear the AC-List on the Host that show this effect.

     

     

  • MJ-perCompMJ-perComp Posts: 1,098 Superuser

    Agin this is not normal, I never get a request about IE.

     

    Those tests with a new PMS will not really change anything if the configuration is not correct.

     

    Please provide the requested data and follow the oulined procedure!

    Als mention the Versions in use and applied Hotfixes.

     

    BR

     

     

     

     

     

  • kallstromkallstrom Posts: 25

    When trying to run orspdiag.exe on a server i get:

     

     RCP communication error (is ORSP service running?)

    checked all our servers and there is no FSORPS service running

     

    I made orspdiag on a client

    last 20 lines of the diag

    Histogram of server query roundtrip times (ms):
    [0: 0] [20: 0] [40: 0] [80: 0] [160: 0] [320: 0] [640: 0] [1280: 0] [2560: 0] [5
    120: 0] [10240: 0]
    
    Histogram of NRS safe:
    [missing: 0] [empty: 0] [error: 0] [-100: 0] [-99: 0] [-79: 0] [-19: 0] [80: 0]
    [100: 0]
    
    Histogram of NRS lookups:
    -
    
    Histogram of NHIPS ratings from cache:
    all:           [0: 1667] [150: 158]
    last 14 days:  [0: 1369] [150: 158]
    last 24 hours: [150: 155] [0: 21]
    
    UUID: 89cee1a7-51de-4f66-8373-b7df65556932
    Server: d96e61c9.de2
    Status: 200
    Connectivity state: Ok
    CRL state: Ok
    Proxies: -
    Current proxy: -
    
    Cache: 1825/10000 entries (NHIPS: 1825, NRS: 0), 398653 bytes

     

    Server version 9.00.30231 hotfix 2

    example client FSC 9.10 (294) HF05

  • SiltanenSiltanen Posts: 108 Former F-Secure Employee
     RCP communication error (is ORSP service running?)

    Most common reason for this is, that the DeepGuard is actually disabled on the host by policy. I would suggest opening a support ticket about the issue.

  • SiltanenSiltanen Posts: 108 Former F-Secure Employee

    You can check the setting from Policy Manager console (in advanced mode) F-Secure -> F-Secure DeepGuard -> Settings -> Use Real-Time Protection Network

  • kallstromkallstrom Posts: 25

    DeepGuard protection is enabled

     

    DeepGuard Enabled = Enabled

    Use Real-time Protection Network = Enabled

    Enhanced Process Monitoring Enabled = Disabled 

  • MJ-perCompMJ-perComp Posts: 1,098 Superuser

    Hi,

     

    is the http-proxy configured correctly? ORSP-Servers are located in the internet!

     

    Check system proxy (proxycfg.exe on XP)

    When you have the ORSP working propperly, clear Application Control as explained before.

    Set Application control to "Do not prompt for applications that Deepguard has identified"

    and "Do not prompt for Applications identified by Realtime protection network"

     

    Then report back.

     

    BR

  • kallstromkallstrom Posts: 25

    Hi

     

    Sorry for being quiet...
    I own U a "solution" on this one. After making some test I found out that it works with ORSP servers only when "user decision" option set under Application control.
    With my configuration ("Deny") all application are blocked even with ORSP enabled

    thx for Ur time

  • Good thing this problem has already been answered. It really saves me a lot of time. Thanks a lot. image

This discussion has been closed.