Critical System Protection

Igor Litvinov posted Mar 16, 2021 02:16 AM

Dimitri Hello, 
I didn't have such problems with the operation: "DuplicateProcess".
Which sandbox do you add the rule to?

Dimitri Danishevski posted Mar 16, 2021 05:23 AM

Hi
I follow the standard steps:

1. Profiling new Application
2. Create new App & Sandbox
3. Edit new Custom sandbox
4. Save & Reapply Policy

Or Manually

1. SCSP Java Console > Agent right click > Get App & Files Data
2. Edit Policy > Application Rules > Add > Predefined App > Find & Add Application
3. Sandbox > Add > Create Custom Sandbox(Hardened)
4. Edit new Custom sandbox
5. Save & Reapply Policy

Or

1. SCSP Java Console > Agent right click > Get App & Files Data
2. Edit Policy > Application Rules > Add > Prefered App > Find & Add Application
3. Configure new App with Hardened Sandbox (Only for test if the trouble in custom sandbox)
4. Save & Reapply Policy

Regardless of how I set up the new Application.
Everything works fine, but there are a few events that I just can't resolve.
Not sure, but I noticed a few general details:

Event > Details:
1. OS Result: BAD_NETWORK_PATH
2. OS Result: OBJECT_NAME_NOT_FOUND
3. Operation: DuplicateProcess

B.R.
Dima

Igor Litvinov posted Mar 16, 2021 10:54 AM

Hello,
To allow your process, you need to add a rule to the "rpcss_ps" sandbox

Dimitri Danishevski posted Mar 17, 2021 09:05 AM

Hi Igor.
Before writing here, I tried all / many options.
I try adding to:
RPCSS_PS
DEF_WINSVCS_PS
HARDENED_PS
GLOBAL OPTIONS
..........

Igor Litvinov posted Mar 17, 2021 09:40 AM

On your screenshot you can see that the blocked process gets into the "rpcss_ps" sandbox. So you need to add rules to this sandbox. Could you send a screenshot of the rule you are adding?

Dimitri Danishevski posted Mar 17, 2021 09:57 AM

Yes of course.
Only it will take some time.
I will send it as soon as I am at the client's place.