White List - application control
Hi,
is there any way to add to the white list an applications which is not stored in Windows directory?
For example Internet Explorer. I want to avoid situations where iexplorer.exe is blocked every time after sending a new update.
I'm using Policy Manager 9 with "Deny" option set under Application Control tab.
and second question concerning Application control tab. Is it possible to check the time when new exe file show up under "Unknown applications reported by host"?
Comments
-
Hello Kallstrom,
It's not possible to add any applications to the application control whitelist residing outside the Windows directory.
When using the "deny" as a default action for outbound/inbound connections for unknown applications in application control it's strongly advised to have a few computers in a piloting group where you could roll-out new applications and updates prior to rolling them out for the whole domain. This way you'd have enough time to allow these applications.
There's no "arrival" or "first seen" date available in Policy Manager console regarding the new binaries under "Application Control Rules".
1 -
Thanks
"arrival" date for application control would be a nice addition, hope to see this in future versions of PMS
0 -
Hi,
if IE is blocked every time you get an update for it, F-Secure is not configured correctly.
Please run ORSPDIAG and post the last 20 Lines of the output. Without ORSP-Connection you can not solve the problem.
Also it might help to clear the local list on the hosts because in rare ocasion it might get stuck. Please ask support for "AC-Clear.jar"
BR
0 -
by saying "every time" I mean that IE is blocked every time I send an update which change the version of IE so that is correct (?)
0 -
This should not happen.
IE is a well know application and the ORSP network should automatically confirm that the update is OK.
Please remove all IE entries from the AC-List in the PMC and also clear the AC-List on the Host that show this effect.
0 -
I have 5 PMS running and it never worked like U saying. It's not only one host which behave like that, but every single machine managed from PMC.
I will make some tests on newly created PMS
5 -
Agin this is not normal, I never get a request about IE.
Those tests with a new PMS will not really change anything if the configuration is not correct.
Please provide the requested data and follow the oulined procedure!
Als mention the Versions in use and applied Hotfixes.
BR
0 -
When trying to run orspdiag.exe on a server i get:
RCP communication error (is ORSP service running?)
checked all our servers and there is no FSORPS service running
I made orspdiag on a client
last 20 lines of the diag
Histogram of server query roundtrip times (ms): [0: 0] [20: 0] [40: 0] [80: 0] [160: 0] [320: 0] [640: 0] [1280: 0] [2560: 0] [5 120: 0] [10240: 0] Histogram of NRS safe: [missing: 0] [empty: 0] [error: 0] [-100: 0] [-99: 0] [-79: 0] [-19: 0] [80: 0] [100: 0] Histogram of NRS lookups: - Histogram of NHIPS ratings from cache: all: [0: 1667] [150: 158] last 14 days: [0: 1369] [150: 158] last 24 hours: [150: 155] [0: 21] UUID: 89cee1a7-51de-4f66-8373-b7df65556932 Server: d96e61c9.de2 Status: 200 Connectivity state: Ok CRL state: Ok Proxies: - Current proxy: - Cache: 1825/10000 entries (NHIPS: 1825, NRS: 0), 398653 bytes
Server version 9.00.30231 hotfix 2
example client FSC 9.10 (294) HF05
0 -
RCP communication error (is ORSP service running?)
Most common reason for this is, that the DeepGuard is actually disabled on the host by policy. I would suggest opening a support ticket about the issue.
0 -
You can check the setting from Policy Manager console (in advanced mode) F-Secure -> F-Secure DeepGuard -> Settings -> Use Real-Time Protection Network
0 -
DeepGuard protection is enabled
DeepGuard Enabled = Enabled
Use Real-time Protection Network = Enabled
Enhanced Process Monitoring Enabled = Disabled
0 -
Hi,
is the http-proxy configured correctly? ORSP-Servers are located in the internet!
Check system proxy (proxycfg.exe on XP)
When you have the ORSP working propperly, clear Application Control as explained before.
Set Application control to "Do not prompt for applications that Deepguard has identified"
and "Do not prompt for Applications identified by Realtime protection network"
Then report back.
BR
0 -
Hi
Sorry for being quiet...
I own U a "solution" on this one. After making some test I found out that it works with ORSP servers only when "user decision" option set under Application control.
With my configuration ("Deny") all application are blocked even with ORSP enabled
thx for Ur time0 -
Good thing this problem has already been answered. It really saves me a lot of time. Thanks a lot.
0
Categories
- All Categories
- 4.7K WithSecure Community
- 3.6K Products
- 1 Get Support