Deepguard blocks Application on 1 system, but allowed on the other machine

Gaasbeek

I have a weird problem.

We are running VDI with VM-Ware.

We are using App-v for several applications and that works most of the time very well.

 

We have one application that starts Internet Explorer 9 from the App-v.

 

First time arround deepguard blocked the application because it wanted to change the Process off IE9.

I have added the sftlist.exe so that it would allow it.

 

I did this by adding the SHA-1 key for the file.

the file is part of Microsoft Application Virtualization client.

 

All works.

But now i have several machines that are blocking the application again.

 

I checked the local F-secure client to check if the EXE file is listed and thrusted.

and it is.

I have checked the version, SHA-1 key off the file on the machine that is blocking the application.

And everything is the same.

 

 

Checked the old desktop and the application works there.

 

Both clients are using the same policy, same version of F-Secure and Deepguard.

I am unable to fing anything that is differnt.

 

Any idea how to fix this problem?

 

 

Versions of clients

 

F-Secure Anti-Virus for Workstations 9.00 build 165

F-Secure Anti-Virus 9.20 build 15450

F-Secure Automatic Update Agent 8.25 build 4183

F-Secure User Interface 9.20 build 6270

F-Secure Management Agent 8.20 build 40051

F-Secure Email Scanner  build

F-Secure DeepGuard 2.21 build 116

F-Secure Online Help 1.98 build 1030

F-Secure Customization AV4WKS/1.30.01

MJ-perComp

Hi,

 

find the file action.log  in the "all users" profile and check what blocks the file.

 

BR

Matthias

Gaasbeek

I could not find a action.log anywhere.

Checked the complete harddrive.

 

I think that it is a permissions problem and i am trying to fix the permissions.

 

I thought i posted the Windows logs but i forgot to do so.

 

Logboeknaam:   Application Bron:          Application Virtualization Client Datum:         12-6-2012 11:52:38 Gebeurtenis-id:3079 Taakcategorie: (7) Niveau:        Fout Trefwoorden:   Klassiek Gebruiker:     n.v.t. Computer:      BVIT-004.ovr.prv Beschrijving: {hap=6F:app=Internet Explorer 9.0.8112.16421:tid=1448:usr=gaaa} De client kan C:\Program Files\Internet Explorer\iexplore.exe niet starten (rc 0010360C-00000042, laatste fout 87). Gebeurtenis-XML: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">   <System>     <Provider Name="Application Virtualization Client" />     <EventID Qualifiers="16384">3079</EventID>     <Level>2</Level>     <Task>7</Task>     <Keywords>0x80000000000000</Keywords>     <TimeCreated SystemTime="2012-06-12T09:52:38.000000000Z" />     <EventRecordID>2344</EventRecordID>     <Channel>Application</Channel>     <Computer>BVIT-004.ovr.prv</Computer>     <Security />   </System>   <EventData>     <Data>{hap=6F:app=Internet Explorer 9.0.8112.16421:tid=1448:usr=gaaa} </Data>     <Data>C:\Program Files\Internet Explorer\iexplore.exe</Data>     <Data>0010360C-00000042</Data>     <Data>87</Data>   </EventData> </Event>

 

Logboeknaam:   Application Bron:          Application Virtualization Client Datum:         12-6-2012 11:52:39 Gebeurtenis-id:3001 Taakcategorie: (26) Niveau:        Fout Trefwoorden:   Klassiek Gebruiker:     n.v.t. Computer:      BVIT-004.ovr.prv Beschrijving: {tid=1308:usr=gaaa} De Application Virtualization Client kan Internet Explorer 9.0.8112.16421 niet starten.

Er is een onverwachte fout opgetreden. Meld de volgende foutcode aan de systeembeheerder.

Foutcode: 4615186-0010360C-00000042 Gebeurtenis-XML: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">   <System>     <Provider Name="Application Virtualization Client" />     <EventID Qualifiers="16384">3001</EventID>     <Level>2</Level>     <Task>26</Task>     <Keywords>0x80000000000000</Keywords>     <TimeCreated SystemTime="2012-06-12T09:52:39.000000000Z" />     <EventRecordID>2345</EventRecordID>     <Channel>Application</Channel>     <Computer>BVIT-004.ovr.prv</Computer>     <Security />   </System>   <EventData>     <Data>{tid=1308:usr=gaaa} </Data>     <Data>De Application Virtualization Client kan Internet Explorer 9.0.8112.16421 niet starten.

Er is een onverwachte fout opgetreden. Meld de volgende foutcode aan de systeembeheerder.

Foutcode: 4615186-0010360C-00000042</Data>   </EventData> </Event>

 

MJ-perComp

OK,

I missed that this is only AV not  Client Security. So it is not the Application Control that blocks.

 

then lets go deeper int this:

What OS and SP are the two machines?

How do you know it is DeepGuard?

Did you try turning off advanced process monitoring?

What dialogs do you get?

What does "details" give?

does ORSPDIAG report Connection OK?

 

BR

Matthias

Gaasbeek

OS : Windows 7 Pro 32 Bits NL

Service Pack 1.

All up to date.

 

Both systems are the same.

Only changes that have been made are to some register settings that belong to a differnt application.

 

When i start the application i see the App-v starting, and when it tries to start Internet explorer we receive a message that deepguard as blocked the application because it tried to write to the memory of the other program.

 

The exe file that it displays is sftlist.exe

 

the advanced process monitoring is disabled on both machines (the use the exact same policy)

 

Dialogs that we get are the F-Secure message about deepguard that i explained above.

And a message of the App-v client that it cant work because it was blocked.

 

And where kan i find ORSPDIAG?

 

If that means the F-Secure client it self.

Then it says that all connections towards the management server are ok.

Same for Updates

Gaasbeek

Possible issue found.

The new hostname was completely diffent from the other machine.

And in the policymanager there was no autoimport rule with the new type of new.

 

I don't understand why it displayed the file correctly.

But after making a new autoimport rule it worked again.