CSA Virus:Behavior.Excessive Policy Violations

Hi,
I have noticed a number of these surfacing in the quarantined applications.
Is there a way to tune this to prevent this from reocurring across all of the desktops.
As far as I can tell these events are not been recieved by the CSA server. i.e. Loging must be disabled for this event.

You need to find more information about why they are getting there, from the logs you should be getting some idea.
You can create a new group with no rules, and just enable the log override for Log Set Actions, and then apply this group to just one host where you are having the problem, this will give you all the logs that do things like add an application to an application class, like untrusted or active network applications and so on, this would probably give you an idea what is going on.
Few things to consider :
- Are they being marked as untrusted before all this multiple policy viol. happens ?
- Are they being installed by an install manager that hasn't been defined correctly in csa ?
- Is there an inventory tool scanning your pc's that hasn't been defined ?

Similar Messages

Oracle Security : what do you think about the following policy violation ?

If you install OEM10, you will be able to see if you violate some security guidelines :
Interresting is revoking UTL_FILE from public, which is critical. Also revoke UTL_TCP and UTL_SMTP. This is going to upset an expert I know...
Take care about the failed login attempts. If you set it to 10 to the default profile, and if your DBSNMP password is NOT the default password, then Oracle will lock your account after node discovery!
In Solaris, you can disable execution of the user stack with the system parameters set noexec_user_stack=1
set noexec_user_stack_log=1. I did not find how to do it on AIX. However, those settings may have side effects.
About the ports, it complains about open ports, even if this is the port oracle listener is using! Simply ignore most of the violations there.
About JAccelerator (NCOMP), it is located on the "companion" CD.
Ok, Waiting for your feedback
Regards
Laurent
[High]      Critical Patch Advisories for Oracle Homes     Configuration     Host     Checks Oracle Homes for missing critical patches
[High]      Insufficient Number of Control Files     Configuration     Database     Checks for use of a single control file
[High]      Open ports     Security     Host     Check for open ports
[High]      Remote OS role     Security     Database     Check for insecure authentication of remote users (remote OS role)
[High]      EXECUTE UTL_FILE privileges to PUBLIC     Security     Database     Test for PUBLIC having EXECUTE privilege on the UTIL_FILE package
[High]      Listener direct administration     Security     Listener     Ensure that listeners cannot be administered directly
[High]      Remote OS authentication     Security     Database     Check for insecure authentication of remote users (remote OS authentication)
[High]      Listener password     Security     Listener     Test for password-protected listeners
[High]      HTTP Server Access Logging     Security     HTTP Server     Check that HTTP Server access logging is enabled
[High]      Web Cache Access Logging     Security     Web Cache     Check that Web Cache access logging is enabled
[High]      Web Cache Dummy wallet     Security     Web Cache     Check that dummy wallet is not used for production SSL load.
[High]      HTTP Server Dummy wallet     Security     HTTP Server     Check that dummy wallet is not used for production SSL load.
[High]      Web Cache owner and setuid bit'     Security     Web Cache     Check that webcached binary is not owned by root and setuid is not set
[High]      HTTP Server Owner and setuid bit     Security     HTTP Server     Check the httpd binary is not owned by root and setuid bit is not set.
[High]      HTTP Server Directory Indexing     Security     HTTP Server     Check that Directory Indexing is disabled on this HTTP Server
[High]      Insufficient Redo Log Size     Storage     Database     Checks for redo log files less than 1 Mb
[Medium]      Insufficient Number of Redo Logs     Configuration     Database     Checks for use of less than three redo logs
[Medium]      Invalid Objects     Objects     Database     Checks for invalid objects
[Medium]      Insecure services     Security     Host     Check for insecure services
[Medium]      DBSNMP privileges     Security     Database     Check that DBSNMP account has sufficient privileges to conduct all security tests
[Medium]      Remote password file     Security     Database     Check for insecure authentication of remote users (remote password file)
[Medium]      Default passwords     Security     Database     Test for known accounts having default passwords
[Medium]      Unlimited login attempts     Security     Database     Check for limits on the number of failed logging attempts
[Medium]      Web Cache Writable files     Security     Web Cache     Check that there are no group or world writable files in the Document Root directory.
[Medium]      HTTP Server Writable files     Security     HTTP Server     Check that there are no group or world writable files in the Document Root directory
[Medium]      Excessive PUBLIC EXECUTE privileges     Security     Database     Check for PUBLIC having EXECUTE privileges on powerful packages
[Medium]      SYSTEM privileges to PUBLIC     Security     Database     Check for SYSTEM privileges granted to PUBLIC
[Medium]      Well-known accounts     Security     Database     Test for accessibility of well-known accounts
[Medium]      Execute Stack     Security     Host     Check for OS config parameter which enables execution of code on the user stack
[Medium]      Use of Unlimited Autoextension     Storage     Database     Checks for tablespaces with at least one datafile whose size is unlimited
[Informational]      Force Logging Disabled     Configuration     Database     When Data Guard Broker is being used, checks primary database for disabled force logging
[Informational]      Not Using Spfile     Configuration     Database     Checks for spfile not being used
[Informational]      Use of Non-Standard Initialization Parameters     Configuration     Database     Checks for use of non-standard initialization parameters
[Informational]      Flash Recovery Area Location Not Set     Configuration     Database     Checks for flash recovery area not set
[Informational]      Installation of JAccelerator (NCOMP)     Installation     Database     Checks for installation of JAccelerator (NCOMP) that improves Java Virtual Machine performance by running natively compiled (NCOMP) classes
[Informational]      Listener logging status     Security     Listener     Test for logging status of listener instances
[Informational]      Non-uniform Default Extent Size     Storage     Database     Checks for tablespaces with non-uniform default extent size
[Informational]      Not Using Undo Space Management     Storage     Database     Checks for undo space management not being used
[Informational]      Users with Permanent Tablespace as Temporary Tablespace     Storage     Database     Checks for users using a permanent tablespace as the temporary tablespace
[Informational]      Rollback in SYSTEM Tablespace     Storage     Database     Checks for rollback segments in SYSTEM tablespace
[Informational]      Non-System Data Segments in System Tablespaces     Storage     Database     Checks for data segments owned by non-system users located in tablespaces SYSTEM and SYSAUX
[Informational]      Users with System Tablespace as Default Tablespace     Storage     Database     Checks for non-system users using SYSTEM or SYSAUX as the default tablespace
[Informational]      Dictionary Managed Tablespaces     Storage     Database     Checks for dictionary managed tablespaces (other than SYSTEM and SYSAUX)
[Informational]      Tablespaces Containing Rollback and Data Segments     Storage     Database     Checks for tablespaces containing both rollback (other than SYSTEM) and data segments
[Informational]      Segments with Extent Growth Policy Violation     Storage     Database     Checks for segments in dictionary managed tablespaces (other than SYSTEM and SYSAUX) having irregular extent sizes and/or non-zero Percent Increase settings

Interresting is revoking UTL_FILE from public, which is critical. Also revoke UTL_TCP and UTL_SMTP. This is going to upset an expert I know...Okay, as this is (I think) aimed at me, I'll fall for it ;)
What is the point of revoking UTL_FILE from PUBLIC? Yes I know what you think the point is, but without rights on an Oracle DIRECTORY being able to execute UTL_FILE is useless. Unless of course you're still using the init.ora parameter
UTL_FILE_DIR=*which I sincerely hope you're not.
As for UTL_SMTP and UTL_TCP, I think whether a program is allowed to send e-mail to a given SMTP server is really in the remit of the e-mail adminstrator rather than the DBA.
Look, DBAs are kings of their realm and can set their own rules. The rest of us have to live with them. A couple of years ago I worked a project where I was not allowed access to the USER_DUMP_DEST directory. So every time I generated a TRC file I had to phone up the DBA and a couple of hours later I got an e-mail with an attachment. Secure yes, but not very productive when I was trying to debug a Row Level Security implementation.
I have worked on both sides of the DBA/Developer fence and I understand both sides of the argument. I think it is important for developers to document all the privileges necessary to make their app run. Maybe you don't have a better way of doing that than revoking privileges from PUBLIC. Or maybe you just want to generate additional communication with developers. That's fine. I know sometimes even DBAs get lonely.
Cheers, APC

Could someone explain why default install has policy violations?

Installed 11gR2 today. Totally default install - see my steps in the Installation forum - and immediately, EM is reporting 7 policy violations.
Execute Privileges on DBMS_LOB to PUBLIC
Profiles with Excessive Allowed Failed Login Attempts
Restricted Privilege to Execute UTL_TCP
Execute Privileges on UTL_FILE To PUBLIC
Execute Privileges on DBMS_JOB to PUBLIC
Restricted Privilege to Execute UTL_SMTP
Restricted Privilege to Execute UTL_HTTP
I wonder why these are not automatically closed on a new install.
Backward compatibility doesn't really cut it in my mind - any DBA worth their salt would be closing those holes or explicitly enabling the privs with eyes wide open. I'd think, since they are listed as critical, these would simply be documented and closed by default - possibly with a script to reopen, just like the 'CONNECT/RESOURCE/DBA' roles were handled (at long last).
Just wondrin'

No but they have changed the default profile so that not everything is unlimited.
Perhaps what we need is one more screen in the dbca during installation that gives the user the following choices:
1) 12g Security: No CONNECT, RESOURCE, or DBA default roles, password_verify function installed, default auditing of sys, execute on risky packages, procedures, and functions not granted, etc. [DEFAULT]
2) Legacy Security: Hope you're really comfortable with nothing but passwords
Why make those who are trying to be responsible do all the heavy lifting. Force those that are willing to put their organization's at risk make an explicit decision to do so.

Attachment type policy violation Action:deny

Hi Folks, need some help starting to get a little frustrated. So any input is appreciated. My organization is starting to deal with the goverment and will be sending lg. files via email. We use Exchange\Outlook 2010. I have tested from hotmail and get same
results. Here's what I see:
Delivery Notification - file The mesg or attach. did not reach... Reason: attachment type policy violation (/Analysis.exe) NOTE: this changes depending on file
Action:deny
I have gone and increased all my mesg size limits to an incredible lg limit in the Send and Receive Connectors, Transport settings, just about any spot that has to do with a size limitation. Also added the site as a trusted site under Send conn. Still
no luck. The goverment contact states its our site, works fine with others ones. Any ideas??? Thanks in advance

1-The error message above still says 'attachment type policy'. Can you tell what host rejected it from the message headers?
2-If you truly think there is a size issue, create a file of a specific size using 'fsutil' and try to send it:
10MB file: fsutil.exe file createnew C:\temp\testfile2.txt 10000000
Something else to remember is that conversion from Exchange format to an Internet standard inflates the message up to 30% (i forget what the technical aspects are, it was a while ago.) The Internet standard appears to be 25MB these days (Google, Yahoo,
etc.) so setting your Internet-bound Send Connector 25MB may not work. My testing resulted in using 17MB on the Internet-bound Send Connector. This is for total message size, not individual attachments. If a message has three attachments
of 6MB each it will work fine internally, but is rejected if it is sent to the Internet.

Wrong number of policy violations in Home tab

We deleted manually entries in the mgmt_current_violation table. On the detail tab of policy violations, theses entries are gone. But on the Home tab the number of policy violations is still the old one.
Would be nice if someone can explain this to mee.
best regards
sascha

Andy,
thanks for your reply. To answer your questions
> I'm assuming that read rights have been granted.
in fact read rights have been granted
> For the GWChecks, please confirm that it was a Contents check/fix.
yes, it was
> Do you have regular GWChecks on Contents?
Yes, we do process weekly contents checks every Sunday at 1:00 AM on the PO since we introduced GW in 2002.
Today I found time to check some things out. I retracted the proxy rights on the computer of the affected user and reassigned them. I tried this several times with and without restarting the GW-Client as well as on my computer and on the computer of the affected user.
The next thing I tried was assigning the proxy rights from another PC. I did not just grant read rights but any rights available and was successful: I saw any item in the mailbox and even the mailbox properties told me the number of items. For testing purpose I retracted the proxy rights and reassigned them again as I exactly did before and surprisingly did not succeed. I tried this several times even with reduced (means just read) rights without any success.
Next step was to analyze the rules on the account of the affected user. She has a long rule which finally says that mails received from or sent to special addresses should be marked 'private'.
Finally I reassigned the rights again from another computer I hadn't used before and granted any rights available again. This method again was successful.
The problem is that I don't know why... :-)
Anyway - thanks again and a happy new year!
Regards,
jgoy

Policy Violation Details: Background Dump Destination

Oem grid control 10.2.0.1.
I have this policy violation:
Ensures that access to the trace files directory is restricted to the owner of the Oracle software set and the DBA group.
Here is my folder permissions:
[oracle@dbdev juk_dev]$ pwd
/opt/oracle/app/oracle/admin/juk_dev
[oracle@dbdev juk_dev]$ ll
total 32
drwxr-xr-x 2 oracle oinstall 4096 Apr 30 17:26 bdump
drwxr-xr-x 26 oracle oinstall 4096 Apr 23 14:29 cdump
drwxr-xr-x 2 oracle oinstall 4096 Feb 19 16:01 create
drwxr-xr-x 2 oracle oinstall 4096 Apr 18 15:43 dpdump
drwxr-xr-x 2 oracle oinstall 4096 Feb 19 16:01 pfile
drwxr-xr-x 2 oracle oinstall 12288 May 2 17:23 udump
All i did was install oracle using the documentation.
chmod -R 775 /mount_point/app/oracle_sw_owner
Is this the right command to restrict the rights for my traces files so oem stop it's alert?
chmod -R o-rx /opt/oracle/app/oracle/admin/

Yes thats what OEM wants. It unfortunate that out of the box install of Oracle creates a lot of these policy alerts.

Refreshing Policy Violations

I have been running 10g with no problem. However, one item has me stumped. On the main page of the OEM is the Diagnostic Summary with All Policy Violations amongst other items. I have taken action on many of the violations days ago, but do not know how to refresh the data. Selecting the Refresh button next to the Page refreshed info does not affect the violations. Can I manually refresh this data? Do I submit a job to do that, and if so, what job? Thanks.
-Philip

Look out with those modifications Philip, oracle warns for some privileges granted but when you install some - oracle - tools in the database and those privs are no longer there, the installation will fail because that same oracle relies on their default existence.
The events are scheduled, some have a more frequent schedule than others. Keep the database & dbconsole running and it will refresh.
regards,
Ronald
http://homepage.mac.com/ik_zelf/oracle

How to remove out-of-the-box policy violation from Database Control

Hi, I just installed a new Oracle 11g box with a new database created using DBCA with all the out-of-box settings.
Using database control, I can see a lot of "policy violation" warning etcs. For example, one warning is "Control File Permission (Windows)". Apparently, it is complaining about the control file permission bit. So I go in and remove all permission except for systems and the oracle dba group ORA_DBA (in window). Still it is complaining. How do I fix it?
Thanks for any suggestion

It should disappear after you have "completely" taken care of it. If you think you have, then you can use "Manage Policy Violations" to ignore and clear them. But do not do this if you have not taken care of it.

Fair usage policy violation blocking

Dear Sir,
This has reference to your e-mail dated Augut 17th 2014, regarding fair usage policy violation.
This is to confirm that I am a law abiding citizen and I hereby also confirm that I have been using skype only for my personal, individual and non-commercial usage only.
Under the circumstances, you are requested to kindly restart the blocked services forthwith and confirm.
Thanking you,
Yours faithfully,
Hari1987

VINCQ wrote:
i got a mail about fair usage policy violation blocking. i didn't sharing and use it for commercial. how can i fix this problem.
Hello and welcome to the Skype Community.
You received this message because you have exceeded the call limits set out in this document:
http://www.skype.com/en/legal/fair-usage/
please contact Skype customer service
TIME ZONE - US EASTERN. LOCATION - PHILADELPHIA, PA, USA.
I recommend that you always run the latest Skype version: Windows & Mac
If my advice helped to fix your issue please mark it as a solution to help others.
Please note that I generally don't respond to unsolicited Private Messages. Thank you.

Clear policy Violation

how to clear policy Violation in grid control??? any ideas?

in part is ok
I have Grid Control...my oracle version is 10.2.0.4..
I followed the steps..
Target home page > Policy violations > Current > Violation Cou
but this does not delete the alerts only ignorant.
and if more than 1, say 100 or more you have to check only every 5 to ignore
any idea with script???

Policy violations - SGA

Hi,
i must remove all policy violations after a fresh installation of Oracle 10g Database. I have 35 violations to remove and i can remove 30 easily but i don't know how to remove 4 of them.
I spent a lot of time searching on internet/forums/etc.. but didn't find anything on these 4 policy violations which concern SGA.
Here is 2 pictures in order to describe the problem.
http://lapincubefreebox3.free.fr/violation_1.jpg
http://lapincubefreebox3.free.fr/violation_2.jpg
SGA configuration is the following :
http://lapincubefreebox3.free.fr/sga.jpg
I really don't know how to remove these violations.
Any help will be appreciated. Thanks.

It isnt really a violation as such.
At 10g, SGA_MAX_SIZE and SGA_TARGET were introduced, which group all the individual sga parameters together, like db_cache_size, java_pool_size etc etc. But you can still specify the size of each of the sga pools if you want to.
So it isn't a really violation, just an older way/fine tuned way of doing it.
Have a read up the new parameters.

Received" Fair usage policy violation warning" ema...

I just received an email from [email protected],and the subject was Fair Usage policy violation warning. This is ludicrous!
Basically the email says that after spying on my account,well they used the term"monitoring" which is ridiculous. they came to the conclusion that I was abusing the fair usage policy.
Firstly I felt that my personal privacy was violated by being spied on by Skype;
Secondly , the package I bought was 10000 mins phone to call worldwide, the reason why I purchase this particular package is becoz I was looking for a pair of Valentino lady heels, in order to have a bigger chance in finding them, I would have to call up as many stores as I can. And since this is what the package offers,I don't see what's wrong with me calling all the boutiques and department store branches. What I don't understand is how could calling stores in different locations has been judged as abusing fair usage policy?
This just became very personal, also I think what Skype did and the email going thru length to explain their suspection is absolutely rude and absurd.
I demand that Skype should stop violating SKype user's personal privacy and spying on their accounts. There're so many software out there right now,which would probably offer more service and respect for the consumer, and I'm sure Skype will lose more users if they keep on spying on our accounts.
And I would really love to contact Skype customer service team over phonecall or email, unfortunately I've looked through SKype entire website,and there's no info related to that. If anyone knows how to contact Skype,do share please. I'll really appreciate that.
Thanks in advance!

I am using Skype premium Credit which allows me to make calls from my Mobile and Laptop to make unlimited calls to 50 countries. Sometime my wife uses my laptop to make call to my home country as well. Recently she went to Bangladesh and tried calling me from there few times. She came back two weeks ago and now nobody uses it from outside Australia.
But last week I received the similar emails from Skype like yours but I am not sure what they are identifying as fair use. I have read the fair use policy and I didn't do anything that is contradicting the policy. I have tried to get support related email address from Skype web but failed. Is there anyone who knows any contact info so that we can raise the issue with?
Another friend of mine was saying that first he received an email from Skype warned him of fair-use violation who is on a 600min per months subscription but hardly use few hundreds min and his service has been terminated temporarily the next day.
So if someone cal tell us what is going on and why they are doing it.

OEM Security Policy Violation

Hi,
There are thousands of policy violation in my OEM page. Some are very old. I would like to clear those violations. Can somebody help me out.
Also, what is the difference between suppressing the violations and clearing them.
Can a script be written to clear the violations on a regular basis ??
Help would be much appreciated.

I have Grid Control...my oracle version is 10.2.0.4..
I followed the steps..
Target home page > Policy violations > Current > Violation Count
Clicked the link which took me to "policy violation details"
This is what i have learnt sofar...It seems we can manually clear the policy violation logs which are older enough, rahter than waiting for the Default Evaluation to take place....
I would like to know how it could be done...

Fair usage policy violation warning

Would like to know how it is determined for a violation.
Got an email on the subject line just now.
To me, i am calling only the regular numbers and in an emergencey now, calls are frequent and lenghtier. Most of the months so far my regular usage level is far below the minimum level and it can be verified.
Let me know what is the basis for the above notification. Is it based on the number os minutes consumed?
Awaiting the quick response to fix this!
[Removed for privacy]

I am using Skype premium Credit which allows me to make calls from my Mobile and Laptop to make unlimited calls to 50 countries. Sometime my wife uses my laptop to make call to my home country as well. Recently she went to Bangladesh and tried calling me from there few times. She came back two weeks ago and now nobody uses it from outside Australia.
But last week I received the similar emails from Skype like yours but I am not sure what they are identifying as fair use. I have read the fair use policy and I didn't do anything that is contradicting the policy. I have tried to get support related email address from Skype web but failed. Is there anyone who knows any contact info so that we can raise the issue with?
Another friend of mine was saying that first he received an email from Skype warned him of fair-use violation who is on a 600min per months subscription but hardly use few hundreds min and his service has been terminated temporarily the next day.
So if someone cal tell us what is going on and why they are doing it.

All Policy Violations/Space Violations

hi forumers,
is there a way to manually refresh Violation warnings in OEM home page? i corrected the problems some 4 days ago, and the warnings are still there, however, when i navigate to the details - links to problem objects are dead. but i am sure that not all of them...
any known script, job, action?
regards, S.

This is definitely grid control and not database control?
I don't understand what you mean: "so when i click on the "unrefreshed" links"
Can you cut a paste what you're clicking on? These should be updated automatically, you cannot 'refresh' this.
What port number are you using when using the console, and what is in the portlist.ini? The only reason I'm asking, is to check you're not viewing a cached version of the page.
Well 4+ days could be correct if the frequency collection has been set that way!!! So instead of guessing, have a quick look through the documentation to find out where you check that. Clue, try clicking on the metric and policy settings link for the target in question...

CSA Virus:Behavior.Excessive Policy Violations

Similar Messages

Maybe you are looking for