Kaseya Community

Application Blocker

  • I was hoping appl block list(s) would be directly integrated into our VSAs, as opposed to a forum post. That way we could all choose whether we want to use these centralized block lists simply by checking a box in our VSAs. "Set it and forget it"...

    But a sub-forum would be a nice way to do it while we wait for Kaseya to integrate it directly into the core product.

    thirteentwenty
    Couldn't we do that with the forum, if we could get a "sub-forum" kind of thing going on like in the scripts area we could get some great monitoring/scripting/whatevers going on... the hard part would be the moderating of it...


    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: ReedMikel
  • I like this idea.

    Testing it now on our test environment.

    One question, i cant find where to report on what applications have been blocked? I get an email notification at the time, would like to then report monthly on what has been stopped from running.

    Im guessing its in Reports>Logs>Alarm Log>Protection Violations.

    Hoewever when i run it, i get nothing showing up, even though i have been testing it and should have a dozen or more listings there.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: Commander
  • ReedMikel
    I was hoping appl block list(s) would be directly integrated into our VSAs, as opposed to a forum post. That way we could all choose whether we want to use these centralized block lists simply by checking a box in our VSAs. "Set it and forget it"...

    But a sub-forum would be a nice way to do it while we wait for Kaseya to integrate it directly into the core product.


    Ahh a set it and forget it deal would be nice... But my angle was looking at the fact that we're using it so we could post to the forums... and do our thing... ideally a combination of the two would be sweet!

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: thirteentwenty
  • Commander
    I like this idea.

    Testing it now on our test environment.

    One question, i cant find where to report on what applications have been blocked? I get an email notification at the time, would like to then report monthly on what has been stopped from running.

    Im guessing its in Reports>Logs>Alarm Log>Protection Violations.

    Hoewever when i run it, i get nothing showing up, even though i have been testing it and should have a dozen or more listings there.


    Sorry just read your post

    I use Reports>Logs>Alarm Log>*protection* and get the results that I need... give that a whirl and lemme know!

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: thirteentwenty
  • Awesome thread!

    Is there a way to import a whole list of applications, or do they have to be added one at a time?

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: Interprom
  • thirteentwenty
    Sorry just read your post

    I use Reports>Logs>Alarm Log>*protection* and get the results that I need... give that a whirl and lemme know!


    Whirlled away, doesnt appear to be working for me, any ideas?

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: Commander
  • I wish I knew of a way. I manually input the list...

    Interprom
    Awesome thread!

    Is there a way to import a whole list of applications, or do they have to be added one at a time?


    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: ReedMikel
  • ReedMikel
    I wish I knew of a way. I manually input the list...


    Yea that part is not pretty, but if you setup a template, you only need to add them once. I was planning on poking around the agent config files or the DB to see if there was another way to do that... lol.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: jknott
  • I think its in the kaseyaFW.ini file in the agent install dir

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: thirteentwenty
  • Commander
    Whirlled away, doesnt appear to be working for me, any ideas?


    Response from Kaseya Support:

    Thank You for contacting Kaseya Support.

    Please run a "File Access" Report available in the Reports > Machine Summary > File Access.


    However im getting an error:

    Microsoft JScript runtime error '800a138f'
    Object expected

    /ReportsTab/runAgentReport.asp, line 1348


    Will see what they say.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: Commander
  • thirteentwenty
    Excellent advice... but in one case, at least for us was (and this just happened a few days ago) was we had to let a few computers burn in the depths of mal/spy/ad-ware with naughty pop ups on a publicly visable computer to drive the point home for one client. After the sales rep had that "I told you so" conversation we were allowed to go in and remove local admin access on majority of the machines/users.

    Those who are left in that group need it for specific applications that require local admin rights. Be mindful of these type of applications. They suck Sad


    In most cases we are giving our domain user group or the local group Authenticated Users write access to c:\program files\%application install folder% and to HKLM\Software\%application settings key% for any apps that cause trouble and that solves the problem. Everyone gets membership to the local machine group User and that's it. We can use AD policy to mandate who is in which local security groups on every machine in an OU. Currently we are working thru the OUs and are about 50% done. I got sick of asking vendors to tell me what settings we needed to run software properly so we are just going this way with it and have only struck one app so far (It's a Chinese one with no support) that wants to write a temp file to the root of C: - for that we gave the users write access explicitly to the root. If you think you've seen malware, try operating in China.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: GEL-boy
  • I discovered something interesting after copying the suggested list of files to block into Application Blocker for a virtual PC running XP SP3: even though this machine is clean, when I scan it with MalwareBytes software, I get lots of "protection violation..." alerts from my KServer, such as:

    Protection violation occurred on vpc-xpsp3.compusolve at Dec 4 2009 1:54PM.

    File access to C:\Documents and Settings\Davy Black\Application Data\seres.exe has been denied to mbam


    I know this virtual machine is clean - and the files do not exist. I think MalwareBytes scans for threats by performing directory lookups for known "bad" files. Even though the file does not exist, simply testing for its presence causes the Application Blocker to generate an exception/alert.

    This is going to generate a lot of false alerts during scans. Probably does not matter what AVAS package one uses, as I'd bet they all scan for known filenames the same way.

    More bad news: Application Blocker seems to have caused MBAM.exe (MalwareBytes scanner) to stall, as it never completed and shows in Task Manager hours later. I guess I'll have to remove all blocked applications on a machine before scanning - what a PITA Sad

    Can anybody confirm this behavior?

    FYI I ran my MBAM script to test the latest version of MB, v1.42. I think I'll try the prior version too and make sure it chokes under Application Blocker.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: ReedMikel
  • Yes, I've seen the false positives caused by application blocker, both with KES and MalwareBytes.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: rkniffin
  • Seems like a catch 22: if we disable Appl Blocker then malware might get launched. If we leave Appl Blocker on, no antivirus/animalware software can repair the threats Sad

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: ReedMikel
  • ReedMikel
    Seems like a catch 22: if we disable Appl Blocker than malware might get launched. If we leave Appl Blocker on, no antivirus/animalware software can repair the threats Sad


    I have seen false positives from MBAM, in fact, every time it scans, it lights up like a christmas tree, not sure if this is by design or what, but those files don't actually exist, so disregard. If you see the protection violations prior to scanning, that'd be the time to act.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: jknott