Guest

Cisco Security Agent

Cisco Security Agent Kernel-only Protection Configuration Example

Cisco - Cisco Security Agent Kernel-only Protection Configuration Example

Document ID: 68251

Updated: Jan 26, 2006

   Print

Introduction

This document demonstrates how to remediate certain interoperability issues with applications that run along with Cisco Security Agent 4.5. The Cisco Security Agent functions as an effective host intrusion prevention mechanism by monitoring local file systems and system components. Therefore, any malicious system processes are immediately detected and disabled.

Occasionally, an application might appear to not function properly with the Cisco Security Agent installed. The symptoms are that the application does not launch, or the application launches and then suddenly exits. Also, there are no events in the event log and the problem is not resolved when the agent is placed into testmode.

This document explains how to create this exception in order to allow specifically trusted applications to continue to function without compromising the level of security provided by unhooking COM and buffer overflow protection only for these applications.

Prerequisites

Requirements

Ensure that you meet this requirement before you attempt this configuration:

  • Ensure that you have full administrative access rights to the Cisco Secure Agent MC. This allows you to view all application classes. See the Obtain Full Administrative Rights section of this document for more instruction.

Components Used

The information in this document is based on Cisco Security Agent 4.5.0.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Obtain Full Administrative Rights

Complete these steps to obtain full administrative rights.

  1. Select Maintenance > Admin Preferences.

    kernel-only-protect-csa-1.gif

  2. Click Advanced.

    kernel-only-protect-csa-2.gif

  3. Highlight admin for Apply these preferences to the following selected administrators.

    kernel-only-protect-csa-3.gif

  4. Click Save.

Configure

Complete these steps to configure an exception for a specific application to run alongside Cisco Security Agent.

  1. Create a new application class.

  2. Create a new rule module.

  3. Create a new policy.

  4. Create a new group.

  5. Link the hosts to the new group.

  6. Generate rules.

  7. Poll for new rules.

Step 1: Create a New Application Class

Complete these steps:

  1. Select Configuration > Applications > Application Classes [Windows] on your Cisco Secure Agent MC and click New.

    kernel-only-protect-csa-4.gif

  2. Specify a name and description for this application class.

    This name and description should reflect the application for which you create the exception.

    kernel-only-protect-csa-5.gif

  3. Select the Operating System type that the application is to run on and check Display only in Show All mode.

    kernel-only-protect-csa-6.gif

  4. Leave the default when created from one of the following executables radio button selected in order to specify this as a static application class.

  5. Specify all the executables that pertain to the application you are running.

    kernel-only-protect-csa-7.gif

  6. Click Save.

Step 2: Create a New Rule Module

Complete these steps:

  1. Select Configuration > Rule Modules > Rule Modules [Windows] and click New.

    kernel-only-protect-csa-8.gif

  2. Specify a name and description for this rule module.

    kernel-only-protect-csa-9.gif

  3. Leave the rest at the default settings and click Save.

  4. Click Modify rules.

    kernel-only-protect-csa-10.gif

  5. Click Add rule and select Application Control.

    kernel-only-protect-csa-11.gif

  6. Specify a name and description for this rule module and check Enabled.

    kernel-only-protect-csa-12.gif

  7. Add the processes generated to the <Processes requiring Kernel Only Protection> application class.

    kernel-only-protect-csa-13.gif

    The applications attempt to run:

    kernel-only-protect-csa-14.gif

    kernel-only-protect-csa-15.gif

  8. Click Save.

Step 3: Create a New Policy

Complete these steps:

  1. Select Configuration > Policies and click New.

  2. Specify a name and description for this policy.

    kernel-only-protect-csa-16.gif

  3. Select Windows as the Target Architecture.

    kernel-only-protect-csa-17.gif

  4. Click Save.

  5. Click Modify rule module associations.

    kernel-only-protect-csa-18.gif

  6. On the window on the left hand side, locate the new rule module you just created and click Add to populate the right hand window.

    kernel-only-protect-csa-19.gif

Step 4: Create a New Group

Complete these steps:

  1. Select Systems > Groups and click New.

  2. Select Windows as your Target Architecture.

    kernel-only-protect-csa-20.gif

  3. Specify a name and description for this group.

    kernel-only-protect-csa-21.gif

  4. Leave the rest of the configuration at the default values.

  5. Click Save.

  6. Click Modify policy associations.

    kernel-only-protect-csa-22.gif

  7. On the window on the left hand side, locate the new policy you created and click Add to populate the right hand window.

    kernel-only-protect-csa-23.gif

Step 5: Link the Hosts to a New Group

Complete these steps:

  1. Select Systems > Groups and locate the group you created under the set of Windows groups.

  2. Click Modify host membership.

    kernel-only-protect-csa-24.gif

  3. On the window on the left hand side, locate any hosts that are running the application for which you are creating the kernel exception and click Add to populate the right hand window. Optionally, you can do a Bulk transfer to facilitate the addition of your host membership to this group.

    kernel-only-protect-csa-25.gif

Step 6: Generate Rules

Complete these steps:

  1. Click Generate Rules.

  2. Click Generate.

Step 7: Poll for New Rules

Complete these steps:

  1. Access the physical machine from which you are running the application for upon completion of the rule generation.

    In this example, go to the machine which has trouble running XYZ.exe.

  2. Double click on the Cisco Security Agent flag located in your system tray, or select Start > Programs > Cisco Security Agent > Cisco Security Agent.

  3. Highlight Status in the navigation tree in the left hand panel and click Poll.

  4. Verify that the last poll time is properly updated.

    kernel-only-protect-csa-26.gif

Verify

Invoke the application. It should now run concurrently with the Cisco Security Agent.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Jan 26, 2006
Document ID: 68251