Troubleshoot if Endpoint Security blocks third-party applications
Technical Articles ID:
KB88482
Last Modified: 2023-02-07 22:41:34 Etc/GMT
Environment
Endpoint Security (ENS) Adaptive Threat Protection (ATP) 10.x
ENS Firewall 10.x
ENS Threat Prevention 10.x
Problem
A third-party application stopped working after you install ENS.
Cause
One of the ENS security features judged the application, or part of the application, as malicious or suspicious. That judgment warranted containment or cleaning. The cause is likely the result of one of the following ENS features. If you determine the application to be safe, you can exclude it from the ENS feature that is blocking it. The Solution sections in this article describe the features, how to identify the feature causing the issue, and the recommended resolutions.
Common module:
Threat Prevention module:
Adaptive Threat Protection module:
ENS Firewall can also block network traffic associated with the third-party application. It is important to properly tune the ENS Firewall configuration on the client to make sure that applications function properly for their network traffic requirements.
Firewall module:
Solution
1
Common -> Self-Protection
Self-Protection provides security for files, folders, the registry, processes, and other items for ENS components. Like Access Protection, the protections are implemented using an underlying technology named Arbitrary Access Control (AAC).
How to determine whether Self-Protection is blocking the application
- The issue no longer occurs after you disable Self-Protection at Endpoint Security Common policy, Options Category, <policy name>, Show Advanced, Self-Protection, Enable Self-Protection.
- The SelfProtection_Activity.log indicates that the application was blocked from performing an operation, and that block resulted in a problem for the application.
How to prevent Self-Protection from blocking an application
- Add an exclusion for the process that Self-Protection is blocking.
- Disable Self-Protection (not recommended).
Solution
2
Threat Prevention -> Access Protection
Access Protection is a behavioral based technology that enforces a BLOCK to specific actions as defined in the enabled Access Protection rules. The scope of the feature includes processes, services, files, folders, registry keys, and values. (The capability of blocking TCP and UDP ports is in the Firewall module.) Like Self-Protection, Access Protection is enforced using an underlying technology named Arbitrary Access Control (AAC).
How to determine whether Access Protection is blocking the application
- The issue no longer occurs after disabling Access Protection at Endpoint Security Threat Prevention policy, Access Protection Category, <policy name>, Access Protection, Enable Access Protection.
- The AccessProtection_Activity.log indicates that the application was blocked from performing an operation (and that block resulted in a problem for the application).
How to prevent Access Protection from blocking an application
- Identify the Access Protection rule that the process violated, and exclude the process from that rule.
Solution
3
Threat Prevention -> On-Access Scanner
The on-access scanner (OAS) is the real-time scanner that runs continuously. It scans files as they are accessed for READ, or after they have been changed (WRITE). Some of the features that are part of Adaptive Threat Protection depend on the OAS settings. For example, Real Protect does not apply its additional scanning to a process that is excluded from OAS scanning.
How to determine whether the on-access scanner is blocking the application
- The issue no longer occurs after disabling the on-access scanner at Endpoint Security Threat Prevention policy, On-Access Scan Category, <policy name>, Enable On-Access Scan.
- The OnAccessScan_Activity.log contains detection information for the application or its files.
How to prevent the on-access scanner from blocking an application
- Add a file exclusion for the application or its files, such as excluding the folder containing those files.
- Use the GetClean tool, and if it identifies the application or its files as items to submit to Trellix, continue with submitting those file details to Trellix.
Solution
4
Threat Prevention -> Exploit Prevention
Exploit Prevention protects programs against exploits where those programs might have vulnerable code. If you find this feature affects the behavior of a third-party application, it is likely that the third-party application contains exploit behavior such as executing code from read-only memory. So, even if you find a workaround to the symptom by disabling the feature or creating an exclusion, it is advisable to seek a long-term solution from the third-party application vendor. A long-term solution protects you from running potentially vulnerable code in your environment.
How to determine whether Exploit Prevention is blocking the application
- The issue no longer occurs after you disable one of the following Exploit Prevention features at Endpoint Security Threat Prevention policy, Exploit Prevention Category:
- Generic Privilege Escalation Prevention (GPEP) - This feature is disabled by default.
- Windows Data Execution Prevention (DEP) and DEP exclusions - DEP is disabled by default.
- Signatures - Only High severity signatures are enabled by default.
- Application Protection Rules - Explicitly named processes are monitored by default; you might have added other processes on your own.
- The ExploitPrevention_Activity log indicates that the application was blocked.
How to prevent Exploit Prevention from blocking an application
- For Generic Privilege Escalation Prevention, disable the feature.
- For Windows Data Execution Prevention, add an exclusion for the process being monitored or disable DEP.
- For Signatures, set the relevant signature to Report only, or disable both Block and Report.
- For Application Protection Rules, disable the rule blocking the applicable process.
Solution
5
Threat Prevention -> ScriptScan
ScriptScan is applicable only if the affected process is Internet Explorer, or any add-ins or functionality that depends on Internet Explorer. A browser helper object is used to facilitate scanning of scripts that Internet Explorer loads.
How to determine whether ScriptScan is blocking the application
- The issue no longer occurs after disabling ScriptScan at Endpoint Security Threat Prevention policy, On-Access Scan Category, <policy name>, Enable ScriptScan.
How to prevent ScriptScan from blocking an application
- Exclude the URL or domain if the compatibility issue is specific to a certain URL or webpage.
- Disable ScriptScan.
Solution
6
Adaptive Threat Protection -> Dynamic Application Containment
Dynamic Application Containment (DAC) uses other behavior-based Access Protection rules to monitor a contained process. A contained process is one that has met the reputation score as configured for DAC, and that Threat Intelligence or other product functionality has advised DAC to contain. A DAC-contained process can be blocked because the DAC rules can prevent the process from performing certain activities. (Each DAC rule that is enabled defines these activities.)
How to determine whether Dynamic Application Containment is blocking the application
- Event ID 37275 "Application contained" is present in the ePolicy Orchestrator Threat Event log from the affected system, and found locally in the affected system's ENS console Event log.
- The DynamicApplicationContainment_Activity.log includes text indicating the application "was contained at the request of" a product or feature.
- The issue no longer occurs if DAC is configured to use Observe mode only at Endpoint Security Adaptive Threat Protection policy, Options Category, Action Enforcement section, Enable Observe mode. (Events are generated but policy is not enforced).
How to prevent Dynamic Application Containment from blocking an application
- Disable the applicable DAC rule, or deselect the "Block" option for that rule.
- Exclude the process in the DAC exclusion policy.
- Use the Threat Intelligence Exchange Server to manually set a known good reputation for the process.
Solution
7
Adaptive Threat Protection -> Real Protect
Real Protect provides post execution analysis of a process, using client-based scanning, cloud-based scanning, or both. Based on its findings it can lead to a conviction as malware and subsequent cleaning.
How to determine whether Real Protect is blocking the application
- The issue no longer occurs after you disable the option "Enable client-based scanning" or "Enable cloud-based scanning" at Endpoint Security Adaptive Threat Protection policy, Options Category, Real Protect Scanning section.
- The AdaptiveThreatPrevention_Activity.log records a detection of the application (for example, Orchestrator.Action.Activity: Action Details: File: <file> , Mode: Enforce , Scanner: Real Protect Client , Reputation: <reputation> , ActionTaken: Clean).
- The AdaptiveThreatPrevention_Debug.log records a static detection of the application (for example, Orchestrator.RealProtectStatic.Debug: File: <file> : RP Static reputation <repuation 1> classification 1 silent 0 detection name <name> JCM reputation <repuation 2> (the important entry is the classification value of 1)).
- The AdaptiveThreatPrevention_Debug.log records a cloud detection of the application (for example, Orchestrator.RepChangeListener.Debug: real protect cloud found <detection name> in process id <PID> , file <file>).
How to prevent Real Protect from blocking an application
- Use on-access scanner exclusions to exclude the files being detected.
NOTE: On-access scanner exclusions also prevent Adaptive Threat Protection from requesting Dynamic Application Containment to contain a process.
- Use Threat Intelligence Exchange Server to change the enterprise reputation for the files as appropriate.
- Use Threat Intelligence Exchange Server to add the certificate for the wanted files.
|