Data Center Security

 View Only

  • 1.  Advice to allow Process Assignment to stop going to Deny

    Posted Aug 25, 2023 02:18 PM

    I've attempted multiple ways (using the IIS sandbox and even created a custom sandbox for this event). I get 20-30 events a day for this process assignment but I cannot tune it out..

    SOURCE

    Agent Name                      <removed>
    Host Name                       <removed>
    Host IP Address                 <removed>
    User Name                       NT AUTHORITY\NETWORK SERVICE
    Agent Version                   6.9.1.507
    OS Type                         Windows
    OS Version                      Server 2008 R2 SP1
    Agent Type                      CSP Native Agent

    EVENT

    Event Type                      Process Assignment
    Event Category                  Real Time - Prevention
    Operation                       create
    Event Severity                  Warning
    Event Priority                  45
    Acknowledgement Status          false
    Event Date                      18-Aug-2023 10:00:48 EST
    Post Date                       18-Aug-2023 10:00:48 EST
    Post Delay                           00:00:00
    Event Count                     1
    Event ID                        13135980

    DETAILS

    Description                     Process Assignment for evointernal.dat to deny_ps
    Policy Name                     Prevention_Disabled_CoreOS_Policy_Win2008
    Internal Rule                   RN:r0
    Process                         D:\Application\Live\Website\bin\evointernal.dat
    Parent Process                  C:\Windows\System32\inetsrv\w3wp.exe
    Agent State                     Prevention Globally Disabled, Windows Service Process/Sub-Process
    Sandbox                         deny_ps
    Operation                       create
    Process ID                      4264
    Thread ID                       6916
    Parent PID                      2976
    Arguments                       "D:\Application\Live\Website\bin\evointernal.dat"
    Process Signature               Unsigned (00000000)
    Module Signature                Unsigned (00000000)
    Parent Process Signature        Microsoft OS Component (00039437)


    In the custom sandbox, under Process Access Controls - Full Access Process Access Controls - Allow full access to these processes I have the simple values of ...

    Target Program Path - D:\Application\Live\Website\bin\evointernal.dat
    Program Path - C:\Windows\System32\inetsrv\w3wp.exe

    Thats all.

    In the IIS sandbox, under Process Access Controls - Full Access Process Access Controls - Allow full access to these processes I have the values of ...

    Target Program Path - D:\Application\Live\Website\bin\evointernal.dat
    Program Path - C:\Windows\System32\inetsrv\w3wp.exe
    User Name - NT AUTHORITY\NETWORK SERVICE

    We do have a Test environment on another server running similar application software which has been successfully tuned out but the program path was to the SysWOW64 version of w3wp.exe

    Target Program Path - D:\ApplicationTest\Website\bin\evointernal.dat
    Program Path - C:\Windows\SysWOW64\inetsrv\w3wp.exe
    User Name - NT AUTHORITY\NETWORK SERVICE

    Really struggling to make the Live one disappear.

    Please could someone kindly offer some advice for me?

    Many Thanks,

    Andy



  • 2.  RE: Advice to allow Process Assignment to stop going to Deny

    Posted Sep 27, 2023 05:09 AM

    A month on and I still have this issue. I've resorted to adding D:\Application\Live\Website\bin\evointernal.dat to the writable resource list / allow modification to these files on the IIS_PS but still get a deny event.

    Please, is there anyone out there who might be able to give me some assistance?


    Original Message


  • 3.  RE: Advice to allow Process Assignment to stop going to Deny

    Posted Sep 27, 2023 12:35 PM

    Hello Andy,

    What I would recommend is:

    Confirm how to reproduce this policy violation. Quick googling, this appears to be from evopdf dot com. A HTML to PDF converter. Possibly all you need to do is go to the website site being hosted where the DCS agent is installed and click on a button or something to convert the page to PDF which would call this module. Also you said you got this fixed in your test environment. Based on the events you posted, the violations are not the same. Maybe the live site is running an older version of the HTML to PDF converter? Something to check if they changed how it functions.

    Create a separate security group called EVOInternal_Troubleshooting for this asset.

    Create a separate Prevention Config/Parameters and remove all the log rules and just have one that is set to Event Type Equals Any. Name the new Prevention Config something like EVOInternal-Troubleshooting Prevention Parameters. Assign this troubleshooting config in the UMC to the EVOInternal_Troubleshooting security group. 

    Create a Copy of the Prevention_Disabled_CoreOS_Policy_Win2008 policy. Rename it to EVOInternal_Troubleshooting_Prevention_Disabled_CoreOS_Policy_Win2008.

    Edit the EVOInternal_Troubleshooting_Prevention_Disabled_CoreOS_Policy_Win2008policy. In "Global policy Options"->"Process Logging Options" section enable "Log trivial policy violations".

    Make sure that both "Log process assignment messages" and "Log process assignment command line arguments" are checked as well. These are enabled by default.

    Assign the EVOInternal_Troubleshooting_Prevention_Disabled_CoreOS_Policy_Win2008 policy to the EVOInternal_Troubleshooting security group in the UMC.

    Now you should have everything ready for troubleshooting. Be careful with this security group. Any assets that get assigned to this group will send all logs to the management server. If there are multiple admins for DCS and one admin is not aware, they add 100 servers to this group on accident could cause a DoS.

    Move the asset into the EVOInternal_Troubleshooting security group. Reproduce the policy violation. Then get an agent diagnostics from the asset to review the logs. I would not recommend trying to route IIS to another custom sandbox though. You should remove that from the policy. You may want to try troubleshooting with an out of box policy that is disabled and not tuned with exceptions. Just so you are certain you are getting all of the possible violations.

    All events are going to get sent to the management server from this agent so you'll see them in the UMC. Having the agent diagnostics for point in time and events in the UMC for continuous monitoring of events gives you some flexibility in troubleshooting.

    See if you can spot any more details about the violation that would help with creating the exception. You might have to call support and open a case for help on this.

    To me with just the information you provided, it appears that the parent process C:\Windows\System32\inetsrv\w3wp.exe (IIS) is executing child process D:\Application\Live\Website\bin\evointernal.dat. Its not a traditional executable type and its showing unsigned. The IPS driver doesn't know what to do with this and no matching rule in the policy so it defaults to an internal rule to route to the deny_ps sandbox.

    Regards,
    Shane
    shane at northstar.io


    Original Message


  • 4.  RE: Advice to allow Process Assignment to stop going to Deny

    Posted Sep 28, 2023 03:24 AM

    Shane, Thank you so much for such a detailed reply.

    I'll work through your recommendations and see what I can find out. 

    Thanks again.

    Andy


    Original Message