If an application is blocked, do the following to resolve the issue:

1. Check the Block Event from any of the following:

   • StellarOne Agent Events

     

   • StellarEnforce Event Logs

     

   • StellarEnforce Console

     

2. Identify the blocked application.

   You may also need to check with the user how these files behave or work. A file can be an installer or child file from a parent application which are not on the Approved List so there might be some special setting/configuration that can be done to support this kinds of file behavior.

   

   

3. Check the Event ID.

   The Event ID directly tells us which StellarEnforce feature has performed the blocking event. Event IDs along with its definitions can be found on TXSE Administrator Guide.

   

   

4. Mitigation through Issue Isolation.

   Based on the identified Event ID, you can quickly identify which feature causes the blocking and from here you can perform isolation. This allows temporarily mitigation of the issue to ensure continuity of operations

   An example of Issue Isolation is: Event ID 2513 is for Processes blocked by Fileless Attack Prevention. You can temporarily turn off this feature to mitigate the problem while you figure out how to properly configure it based on customer’s environment on later steps.

   

5. Select an available method or feature to manage or mitigate unwanted blocked events. Now, that you have identified the blocked application, and feature that performs the blockage. That would be the time to use one of the many StellarEnforce features to manage blocked application.

   Approved List Management Features

   Feature	Description
   Maintenance Mode	Allows the user to select a period when TXSE Agent allows all file executions and adds all files that are created, executed, or modified to the Approved List.
   Trusted Updater	Automatically add files created or modified by a selected application installer.
   Predefined Trusted Updater	Automatically add files created or modified by a selected object. The object may be Process, File, Folder and its subfolders.
   Trusted Hash	Allows a file to be added to Approved List based on Hash.
   Trusted Certificate	Allows a file to be added to Approved List based on Certficate.

   Other Settings

   Feature	Description
   Intelligent Runtime Learning	This feature allows applications on Approved List to create or load random DLLs on run time without getting blocked.
   Windows Update Support	This feature, when enabled, automatically adds the updated files from Windows Update to the Approved List.
   Fileless Attack Prevention	Fileless Attack Prevention detects and blocks unapproved process chains and arguments that may lead to a fileless attack event.

   Please check the TXSE Administrator Guide for full details.

6. Check the Block Events if the issue persists. After re-configuration, continue to polish and improve it until all unwanted blocked events are cleared.