Policy not distributed to client

J-C

Hi,

Running PMS/PMC 9.0 and client security version 9.11 on the (non)affected host.

 

Since I have "inherited" F-secure administration from another consultant, I´m trying to clean up exluded objects in the different domains because there are several of them "doing the same thing". Also I am adding the recommended Microsoft exclusions to all Windows machines.

 

Yesterday I added some excluded objects to a domain, using wildcards. See pic below:

 

 

 

Today when I look at the host in question in PMC ()policy tab), all looks fine. But when I click on the "Status Tab", I still see the old settings used before my changes, see pic below:

 

 

Also, when I log on to the host and view the excluded objects, it shows still the same old settings, see pic below:

 

 

At the same time, info about the host in PMC shows that it has got the latest policy, i.e the one containing my changes? But as one can see, this is not correct, it still has the old settings but new policy?

Please, could someone explain this to me?  How to troubleshoot when PMC says all is good, but it isn`t?

 

Thanks in advance!

 

Regards,
JC

MJ-perComp

Hi,

local exclusions have priority. Use "Final" and "force table" to force the client to accept your settings.

 

Also plese note, that MS does not recommend to exclude certain files/folders/extentions in general!!! They even WARN about the security risk.

 

They only say: IF you encounter a perferformance problem, TRY excluding these AND get in contact with you vendor, so that he can establish a decent fix. REMOVE the exclusion as soon as possible!

 

Also your exclusions are FAR too wide!: C:\positives\, c:\positives\tinghtvnc; c:\positives\tightvnc\tightvnc.exe

 

neither of these make sense to me and if you have trouble with tightvnc it comes from Spyware detection and can easily be excluded there from its hash!! replacing this file on the client with a trojan is possible without anyone noticing!

 

BR

J-C

Hi,

 

Obviously  I have been misinformed by my predecessor according to MS exclusions. I am actually working on the other exclusions and finding out what the problem really is on the clients, eliminating one by one.

 

Regarding C:\Positive, this folder apparently contains an application that takes "forever" to start if it´s not excluded? This is, I´m afraid, all the info I have managed to get so far.

 

Do you have any other suggestions on how to solve this, except exclude the folder?

 

If spyware detection is what causes this, should it not appear in the window called "Spyware reported by host(s)?

 

Thanks for your advice!

 

Regards,
JC

MJ-perComp

Hi,

 

you need to run the system for a couple of days (including shutdowns) without any exclusion, then support can see from a FSDIAG.TAR.GZ  what actually causes this behaviour.

 

BR

 

J-C

Hi,

Thanks again for you advice, you are always helpful! Don´t understand how you get the time to contribute so much in this community, but I guess if you manage F-secure for customers, it runs smoothly without any problems.

 

Best regards,

JC