Shane, Thank you so much for such a detailed reply.
Thanks again.
Original Message:
Sent: Sep 27, 2023 12:35 PM
From: Shane_NorthStar.io
Subject: Advice to allow Process Assignment to stop going to Deny
Hello Andy,
What I would recommend is:
Confirm how to reproduce this policy violation. Quick googling, this appears to be from evopdf dot com. A HTML to PDF converter. Possibly all you need to do is go to the website site being hosted where the DCS agent is installed and click on a button or something to convert the page to PDF which would call this module. Also you said you got this fixed in your test environment. Based on the events you posted, the violations are not the same. Maybe the live site is running an older version of the HTML to PDF converter? Something to check if they changed how it functions.
Create a separate security group called EVOInternal_Troubleshooting for this asset.
Create a separate Prevention Config/Parameters and remove all the log rules and just have one that is set to Event Type Equals Any. Name the new Prevention Config something like EVOInternal-Troubleshooting Prevention Parameters. Assign this troubleshooting config in the UMC to the EVOInternal_Troubleshooting security group.
Create a Copy of the Prevention_Disabled_CoreOS_Policy_Win2008 policy. Rename it to EVOInternal_Troubleshooting_Prevention_Disabled_CoreOS_Policy_Win2008.
Edit the EVOInternal_Troubleshooting_Prevention_Disabled_CoreOS_Policy_Win2008policy. In "Global policy Options"->"Process Logging Options" section enable "Log trivial policy violations".
Make sure that both "Log process assignment messages" and "Log process assignment command line arguments" are checked as well. These are enabled by default.
Assign the EVOInternal_Troubleshooting_Prevention_Disabled_CoreOS_Policy_Win2008 policy to the EVOInternal_Troubleshooting security group in the UMC.
Now you should have everything ready for troubleshooting. Be careful with this security group. Any assets that get assigned to this group will send all logs to the management server. If there are multiple admins for DCS and one admin is not aware, they add 100 servers to this group on accident could cause a DoS.
Move the asset into the EVOInternal_Troubleshooting security group. Reproduce the policy violation. Then get an agent diagnostics from the asset to review the logs. I would not recommend trying to route IIS to another custom sandbox though. You should remove that from the policy. You may want to try troubleshooting with an out of box policy that is disabled and not tuned with exceptions. Just so you are certain you are getting all of the possible violations.
All events are going to get sent to the management server from this agent so you'll see them in the UMC. Having the agent diagnostics for point in time and events in the UMC for continuous monitoring of events gives you some flexibility in troubleshooting.
See if you can spot any more details about the violation that would help with creating the exception. You might have to call support and open a case for help on this.
To me with just the information you provided, it appears that the parent process C:\Windows\System32\inetsrv\w3wp.exe (IIS) is executing child process D:\Application\Live\Website\bin\evointernal.dat. Its not a traditional executable type and its showing unsigned. The IPS driver doesn't know what to do with this and no matching rule in the policy so it defaults to an internal rule to route to the deny_ps sandbox.
Regards,
Shane
shane at northstar.io
Original Message:
Sent: Sep 27, 2023 05:09 AM
From: Andy Peall
Subject: Advice to allow Process Assignment to stop going to Deny
A month on and I still have this issue. I've resorted to adding D:\Application\Live\Website\bin\evointernal.dat to the writable resource list / allow modification to these files on the IIS_PS but still get a deny event.
Please, is there anyone out there who might be able to give me some assistance?
Original Message:
Sent: Aug 21, 2023 05:23 AM
From: Andy Peall
Subject: Advice to allow Process Assignment to stop going to Deny
I've attempted multiple ways (using the IIS sandbox and even created a custom sandbox for this event). I get 20-30 events a day for this process assignment but I cannot tune it out..
SOURCE
Agent Name <removed>
Host Name <removed>
Host IP Address <removed>
User Name NT AUTHORITY\NETWORK SERVICE
Agent Version 6.9.1.507
OS Type Windows
OS Version Server 2008 R2 SP1
Agent Type CSP Native Agent
EVENT
Event Type Process Assignment
Event Category Real Time - Prevention
Operation create
Event Severity Warning
Event Priority 45
Acknowledgement Status false
Event Date 18-Aug-2023 10:00:48 EST
Post Date 18-Aug-2023 10:00:48 EST
Post Delay 00:00:00
Event Count 1
Event ID 13135980
DETAILS
Description Process Assignment for evointernal.dat to deny_ps
Policy Name Prevention_Disabled_CoreOS_Policy_Win2008
Internal Rule RN:r0
Process D:\Application\Live\Website\bin\evointernal.dat
Parent Process C:\Windows\System32\inetsrv\w3wp.exe
Agent State Prevention Globally Disabled, Windows Service Process/Sub-Process
Sandbox deny_ps
Operation create
Process ID 4264
Thread ID 6916
Parent PID 2976
Arguments "D:\Application\Live\Website\bin\evointernal.dat"
Process Signature Unsigned (00000000)
Module Signature Unsigned (00000000)
Parent Process Signature Microsoft OS Component (00039437)
In the custom sandbox, under Process Access Controls - Full Access Process Access Controls - Allow full access to these processes I have the simple values of ...
Target Program Path - D:\Application\Live\Website\bin\evointernal.dat
Program Path - C:\Windows\System32\inetsrv\w3wp.exe
Thats all.
In the IIS sandbox, under Process Access Controls - Full Access Process Access Controls - Allow full access to these processes I have the values of ...
Target Program Path - D:\Application\Live\Website\bin\evointernal.dat
Program Path - C:\Windows\System32\inetsrv\w3wp.exe
User Name - NT AUTHORITY\NETWORK SERVICE
We do have a Test environment on another server running similar application software which has been successfully tuned out but the program path was to the SysWOW64 version of w3wp.exe
Target Program Path - D:\ApplicationTest\Website\bin\evointernal.dat
Program Path - C:\Windows\SysWOW64\inetsrv\w3wp.exe
User Name - NT AUTHORITY\NETWORK SERVICE
Really struggling to make the Live one disappear.
Please could someone kindly offer some advice for me?
Many Thanks,
Andy