CSA 5.1 & Rule 596

Similar Messages

• CSA - Network Shield Rule Triggering for IGMP Packets

  Hi,
  Any ideas, why this Network Shield Rule (For Malicious Packet) is getting triggered for these IGMP Packets ?
  TESTMODE: A packet with malicious content was detected. Reason: Malicious packet. IGMP: 10.1.2.136->224.0.0.22 type 0x22. The operation would have been denied.
  TESTMODE: A packet with malicious content was detected. Reason: Malicious packet. IGMP: 10.1.2.144->224.0.0.1 type 0x11. The operation would have been denied.
  As far I researched 0x11 (Query) and 0x22 (v3Report) are Valid IGMP Packets.
  Thanks,
  Naman

  Try these links:
  http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_qanda_item09186a008049ad72.shtml
  http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_configuration_guide_chapter09186a00805afcc5.html

• CSA 5.2 Rule TCP 139

  What is the best way to create an exception rule for NetBIOS on the CSAMC? NetBIOS needs to be enabled because of resolving IP's within rules on the CSAMC.
  The process 'System' (as user NT AUTHORITY\SYSTEM) attempted to initiate a connection as a client on TCP port 139 to X.X.X.X using interface Wired\Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client). The operation was denied
  Any help would be appreciated. i really dont want to create this rule not to see just incase something running over TCP 139.
  Thanks,

  Hey Adam, I have a local db (I'm setting up a remote one on a VM this week to test).
  I allow connections on port 80 to a WSUS server to recieve updates, 139 and 445 to the one Windows server for accessing a file share, and 123 to our time server, but nothing else.
  I don't see this as unacceptable risk. I think you could safely allow the traffic to your domain controller or deny and not log it if it doesn't affect function.
  Are your MC and DB being chaty to the domain controller or to other hosts as well?

• CSA 5.2.0225, Rule 576, and saving attachments in Outlook 2003

  We're in the process of migrating from 4.5.6139 to 5.2.0225; thus far, the migration is going extremely well - with one bizarre issue haunting my sleep.
  I started seeing this behavior about 2 weeks ago, on machines that (so far as I can determine) have not had any changes made (ie, the latest round of Windows Updates have not been applied, the machines are tightly controlled, no software has been installed). It also impacts some machines running CSA 4.5.6139.
  However, it does not impact ALL machines - only we have a couple machines that are not impacted.
  Versions of Outlook include 2000 and 2003; all machines are Windows XP Sp2, current with patches with the expcetion of August 2007 batch.
  Scenario: user opens an e-mail, and right clicks on an attachment to save it. When the common dialog control for saving as comes up, the "My Computer" icon is missing - replaced with the "blank" generic Windows icon, and CSA triggers rule 576, saying that Outlook.Exe attempted to access Explorer.Exe, and was denied.
  Additionally, the machine might display more icons as blank: for example, one of our admins has the ASA ASDM Launcher on his desktop, and that shows up with a blank icon in the save as dialog, and Rule 576 is triggered with "Outlook attempted to access ADSM.exe and was denied."
  In attempting to get a handle on this issue, I have put the entire "Untrusted Classification Content Module" into test mode, reset the agent on a test machine, and still rule 576 is triggered - which strikes me as bizarre, if I understand the triggering conditions correctly.
  Anybody have any thoughts?
  This is not a showstopper, but I'm concerned because I don't understand why this rule has started to get triggered when we have made no change to our environment.
  TIA.

  Tom,
  Not sure I quite understand.
  I'm looking at the MC, and see that "Untrusted Content Classification Module" is associated with the "Application Classification" poilcy, which is included as part of the "All Windows" group.
  I was operating under the assumption that, since it is included in this policy as part of "All Windows", this was the module responsible for doing the content classification. Indeed, if I turn on logging for some of the rules, it's pretty active - and pretty active in setting e-mail content as "untrusted".
  Rule 576, the one firing, is (according to the description), blocking access to @dynamic - dynamically quarantined files.
  My thought was that I could create exceptions so that common stuff like "excel.exe" would not be tossed into @dynamic, and hence, Outlook could access Excel.Exe, and display the appropriate icon for spreadsheets.
  But then I get all confoozled by the fact that I have some machines, with the same OS/SP/patch level, same AntiVirus, and same group membership in CSA, which do not exhibit this problem.
  (If you read closely, there's a question buried in all the above. I just can't quite get it out due to my ignorance with how CSA is working it's magic.)
  Thanks for taking the time to help with this.
  Bob

• CSA issue with firewall rule

  I created a rule in CSA 6.0 that, by default, blocks any application on any machine being connected as a server.  On a DC we made an exception for the server to be connected on UDP 53 for DNS.  However, we are seeing the following messages below.  The port ranges from, so far, 30,000-65,000.  It seems odd that dns.exe would be accepting a connection as a server on all of those ports.  Has anyone seen this before or had this happen to them or is this normal?  Also, it is running OpenDNS.
  Thanks,
  Jay
  Audit: The process 'C:\WINDOWS\system32\dns.exe' (as user NT AUTHORITY\SYSTEM) attempted to accept a connection as a server on UDP port 61660 from 208.67.220.220 using interface Wired\HP NC7761 Gigabit Server Adapter. The operation would have been denied.

  You are behind a hardware/appliance firewall right ? if so, that port should not be open, which tells me that this is an accept of a udp reply from opendns on a request the server made, and not an actual request from opendns to your server, cause all dns traffic works on port 53 tcp/udp as destination port.

• CSA User authentication auditing rule and Policy conflicts

  Hi there
  We have CSA 5.2 in our environment and i created a custom policy and added the 'user authentication auditing' rule and enabled auditing failure events on windows XP machine but i dont see any failure attempts in the CSA MC event log even though i tried to logon on with invalid passwords.What could be the reason for this.
  Secondly i was wondering what happens when i apply two policies, Are the policy settings added and applied to the group or one policy gets priority over the other
  Thanks for your anwers
  Ahmed

  Have you checked the security event logs on the machines in question? If there are no events there, CSA cannot report them.
  That's where CSA gets the info and by default, there is no account auditing in Windows XP.
  You have to enable it either via group or local policy.
  Tom

• CSA Rule Exception issue

  Is it possible when creating an exception with the Rule Wizard to not have it create a new rule module every time a rule is created.
  I would like to just add rules to an Exceptions policy that is applied to the group with out it creating a new rule module every time.

  Hi Adam
  Yes, it says that in the user guide and I experienced the same thing when doing it.
  Part of the user guide seems a bit confusing to me though.
  The 1st statement on page 10-22 in the CSA 5.2 User guide is correct:
  You can create a new rule module (an "exception rule module") which
  would contain the new exception rule. (This is the default and recommended choice.)
  The 2nd statement is (I feel) incorrect:
  "This new module would be attached to a new exception policy which is then
  attached to the group(s) containing the host from which the event was received."
  I've done this several times and have yet to see it create an separate exception policy
  And the 3rd statement is correct:
  "If you choose to create this exception module, all subsequent exception rules you
  create through the wizard will be added to the same exception module and policy
  if the group it is to be applied to is also the same. Therefore, a group could only
  have one exception policy, but contain an exception rule module with any number
  of exception allow rules created through the wizard."
  Tom

• Removing deleted CSA Kits for faster rule generation

  I had to customize all the agent kits due to application requirements. However, I notice the deleted agent kit are still being compiled during a rule generation. Is there any way to purge them ?

  Don't remove CSAAgentkit.exe though or you'll get an error when generating rules. I believe it's the base agent kit that custom kits are created with. You won't see it referenced during rule generation or listed in the kits.
  It would be safer to move them, not delete them. That way you can restore them quickly if there are problems.
  Sorry for any confusion,
  Tom

• CSA causing BSOD - btaudio.sys

  Hey Guys,
  We're trying to build a new SOE, but on a laptop when you turn on/off bluetooth we recieve a Blue screen of death. With CSA uninstalled the error does not occur. With CSA turned off (right clicked on task bar) we still get a BSOD, so that kinda rules out any rules/policies.
  Any ideas without upgrading the server to version 5 or 6? I'm not confident with this software to upgrade.
  V4.5.1 build v657
  Thanks!

  btaudio.sys is part of the bluetooth stack for windows, it can be from WIDCOMM or a repackaged version from ibm/ms/dell/hp whatever, i would consider searching for BSOD in regards to the bluetooth driver for that specific platform, otherwise you are looking at a bug, which is not easily solved by changing rules in csa, in 5.x there is a class called "only needing kernel protection", which sometimes can be used, but this sounds like a bad driver, that tries to install itself in the same call tables as csa, and causes a BSOD, so looking into fixing the driver problem, might be simpler and quicker than trying to fix csa.

• CSA 5.1 causes significal slow down on windows 2000 server

  We have recently installed CSA 5.1 and agents on a bunch of windows servers. All the shims and enabled and only the default policy agents for windows is enabled.
  Applications which does FTP and moves files from one folder to another etc are taking significal slow down.
  Processes that used to complete 3 minutes are now taking more than 30 minutes to complete. All the polcies and rules are in test mode.
  Should we fine tune the rules first on disable couple of shims first to see what is the cause of this slow down. If we turn off CSA, processes run as normal.

  One thing you can try is removing the host from all groups. It will still be a member of the group.
  If that doesn't fix performance, remove all policies from the group (and attach them to another group to keep the rules in effect for other hosts) and see if that helps.
  This should tell you if it's the agent and\or shim causing the problem, or if a rule is doing it.
  Don't forget to move the policies back to the group when you are done.
  Tom

• Is it necessary to have a MC for CSA for CallManager ?

  I would like to know if it is possible to install Cisco Security Agent on my CallManager without haveing a Managenent Center.
  If yes, what are the principal differencies with the utilisation of a Management Center ?
  Thank you for your help.

  The only way to gain visibility to the Rules is to import them into a functioning CSA MC server.
  Here's the name of the most recent version of the exported rule set that is available at this location:
  http://www.cisco.com/kobayashi/sw-center/telephony/crypto/voice-apps/
  CiscoCM-CSA-4.0.3.728-1.1.10.export
  Cisco Security Agent (CSA) policy version 1.1(10) for CallManager releases 3.2(3), 3.3, 4.0 & 4.1. This policy is to be imported into the Managed Console version of the Agent.
  If you download the file, you can review the policy - which looks like it is in XML. However, the easiest way to read the policy would be to import this above export file into a CSA MC, which could be an fully-licensed or evaluation-version of the VMS product.
  Hope this helps,
  peter

• CSA & Novell Client

  We run a Novell network and our primary authentication client is the Novell client. I've setup CSAMC v6 and have been tuning for the past couple of days.
  I seem to have a problem with the Novell client login script. Whenever I login, the search drives don't map. I get:
  FS-TBRHSC-ZEN
  LOGIN-LGNWNT32.DLL-890: The specified server is unknown.
  LOGIN-LGNWNT32.DLL-430: The following drive mapping operation could not be completed.
  [ROOT S16:=Z:=FS-TBRHSC-ZEN\SYS:PUBLIC]
  The error code was 8884.
  I've opened up TCP/524 and TCP/427 to all of our Novell servers with no results. I thought it might be ephemeral ports to I opened them up as well.
  This is really frustrating the heck out of me. Does anyone have a solution?
  Ryan

  I have tuned Novell in CSA 4.0, and upgarded the rules to 6.0 and they seem stable. Please e-mail me at dhudson at hanover dot com, and I will send you na export of my Novell tuning...

• CSA 6.0.1 Customizing Reports on Hosts Who Have Disabled Agents

  We set up a rule which asks the user to supply a reason when they disable the CSA Agent.
  Is there a way to customize a report to include the reason in a report?
  We want to generate a report weekly which would include the end user name and the reason they disabled the agent.
  Thanks.

  Thanks for that, I'm still looking for confirmation for the Unix side...

• CSA : Cluster not started after installing CSA 6.0.0.209

  After installing CSA 6.0.0.209 on Win2003 Server,
  the cluster service is not started.
  The server said that the network connection service is not started.
  The CSA is registered in the Management Center.
  And the group is in LEARN MODE.
  What is the source of this problem?

  First off, do you get any events from that machine in the csamc ? If not, does it solve the problem if you disable csa and try to start the cluster service ? If so, then you could have a deny rule that has no log (even though that is highly unlikely if you are using the default policies) Also what clustering software are you using, microsoft or some other 3rd party sw ?
  Jan

• CSA 4.5 MC db question

  Greeting all. I wanted to ask a question regarding information in a CSA 4.5 MC database.
  When I open the EventListView view, there's a column titled ButtonCode. Typical values are 0-4. Does anyone know what these values mean/represent?
  Thanks in advance.

  They are what the user chose when queried by a rule.
  I believe they are :
  1- Yes
  2- No
  3- Not sure as I didn't have any
  4- Terminate
  Tom S