Symantec Privileged Access Management

  • 1.  Process Protection Policy Failure

    Posted Jun 01, 2015 12:29 PM

    Dear Community

     

    I'm trying out a policy to protect the cmd.exe console and when checking the protection, the policy is not working and the status of recorded event is as follows:CA ControlMinder Access mask removal notification.

     

    Please if you could help me with this problem.

     

    Sending the code of politics and the image of the endpoint audit logs.

     

    Policy

    ---------

    Script de Implementacion

    ------------------------------------

    #Definicion de variables
    er ACVAR CMCMD value(cmd.exe)
    #Configuracion de politica de proteccion de proceso
    editres PROCESS <!CMCMD> owner(nobody) defaccess(none)

     

    Script de Anulacion de Implementacion

    ------------------------------------------------------
    #Removiendo recurso de tipo archivo
    rr PROCESS <!CMCMD>

     

    PoliticaProteccionDeProcesoFalla.png

     

    Thanks in advance for your help.



  • 2.  Re: Process Protection Policy Failure

    Broadcom Employee
    Posted Jun 10, 2015 05:02 AM

    Hi Benny

     

    Please open a support case for this issue as this requires further investigation.

     

    Regards,

    Mohammed Mustansir



  • 3.  Re: Process Protection Policy Failure

    Posted Jun 11, 2015 06:33 PM

    Hi Mohammed

     

    Ok, for now, are you any solution or review occur?

    Thanks for your help.



  • 4.  Re: Process Protection Policy Failure

    Posted Jun 12, 2015 12:14 AM

    Hi Benny,

     

    Good Day!!

     

    If your intention is to protect the cmd.exe,

     

    You can do somthing lilke this : nr PROGRAM ("C:\Windows\system32\cmd.exe") audit(a) defaccess(N)

                                                  auth PROGRAM ("C:\Windows\system32\cmd.exe") uid(USER_WHO_NEEDS_ACCESS) access(a)

     

     

    --

    Vinay Reddy



  • 5.  Re: Process Protection Policy Failure

    Posted Jun 12, 2015 11:07 AM

    Hi Vinay

     

    Thanks for the help, the suggestion of political works.
    I would like to consult you, I need to protect a process associated with an executable, the executable file can be in any location.
    As I can protect the process?Thanks in advance for your comments and help.



  • 6.  Re: Process Protection Policy Failure
    Best Answer

    Posted Jun 15, 2015 12:28 AM

    Hi Benny,

     

     

    Here is how to achieve your requirement:

    so class+(PROCESS)

    nr PROCESS ("C:\Windows\system32\cmd.exe") defaccess(N) audit(a) owner(nobody)

     

    Doing this, will stop users from killing the process directly.

    To check this, after creating the rule, open the taskmanager > Process Tab , try killing the process.

     

    However, You can Kill the Cmd.exe from the Applications tab of the task manager > End Task.

    The reason for this is , when you end the task from the taskmanager,windows will fire WM_CLOSE message to that window asking graceful shutdown:

    The application processes this message, handles any necessary cleanup tasks end exits. Actually the process is not terminated but exits by itself that is

    not kind of process killing related to PROCESS class protection. In difference to this, Task Manager "End Process" invokes TerminateProcess function terminating/killing application process and this is protected with PROCESS class.

     

    --

    Vinay Reddy