Hi All,
We have a DCS: SA setup for some 100 servers below are the setup information:
- Majority of the servers are protected with IPS profile.
- The built-in windows entry point protection policy is being used all windows servers.
- The pivot-table method is used for application whitelisting.
Below are the challenges:
- We have to prevent the uninstallation of whitelisted application.
- Same time some users need to have the privileges to uninstall.
- We have run a test uninstallation of a couple of application and monitored what events are triggered like which file, process is executed while uninstallation. This had helped us to create the common rule to stop uninstallation, most of the installation and uninstallation will use MS msiexec.exe in backend process to start a process, however, it won’t be the case with all but most of it.
Below steps also we have tried.
- Create an application rule for C:\Windows\System32\msiexec.exe and route it to Deny sandbox.
- Create a rule within Global policy options, so that no user or program has access to
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
But all those are not a satisfying the exact requirement, Requesting your help to overcome this issue.
Thank & Regards
Liju Raju