Allowed software via CSSL is being blocked by the Lockdown rule. This can happen if the SHA-1 hash of extracted installation files in the user profile temp folder (e.g. %TEMP%) is neither in CSSL pattern nor in the agent's local inventory scan database.
This prevents the software from being installed, as a result.
The CSSL pattern contains known good application hashes sourced directly from the software vendor. Trend Micro automates the harvesting of all software patches from different vendors into our database, but there are some applications that are done manually. Despite the effort to keep our CSSL pattern up-to-date, it is possible that there are hashes being missed particularly installation files because they vary in terms of SHA-1 hash value and are removed immediately during or after installation of the software.
Use these steps if the blocked installation files are DLLs. Click here to learn more about Blocking Methods.
- Log on to Application Control Management Console
- Go to Management > Policies.
- Click the policy that triggers the Lockdown rule to open the Policy Edit screen.
- Click the Rules section and enable "Use the more compatible, less feature-rich, user-level blocking method."
- Click Save to apply and deploy the new settings to the endpoints.
To get the complete list of the applications caught by the Lockdown Rule, it is suggested to enable Log-only mode. Then, run the software installation on an endpoint so that the AC Agent will fetch blocked application incidents to the backend server that you can use to generate SHA-1 Hash List.
- Enable the Lockdown rule to perform Log-only mode. Follow KB 1117252 to do this. You may choose to duplicate the Policy and enable the Log-only mode from there. Then configure the policy to apply to specific endpoint(s) as a test device to run the software installer.
- Log on to Application Control Management Console and go to Logs > Query page. Select Log type to query as Policy Actions.
- Select the AND operator to filter the columns with the applicable policy and the rule triggered. Add more AND operator or use NOT for a more specific filter result to display only the events of the software installer.
- Click the column settings and choose Select columns...
- Deselect all columns leaving only the SHA-1 Hash Value and Full Path selected. Click Save.
- Click Export As and choose CSV or XLSX. Convert the file to .TXT following the steps below:
- Create an Allow rule and choose Match using SHA-1 hash values.
- Click +Add Hash Values and select Import from executable file or ZIP.
- Browse to the saved file in Step 6-b to import the hash list to the rule.
- Click Rule Options and enable the Full - All SHA-1 hash values in the list. Click Save to apply settings.
- Add this rule to the applicable policy that triggers the Lockdown rule, and run the software installer again to verify if it successfully installs or not.
Assign a MEDIUM Trust Level to the software installer (e.g. setup.exe) to allow sub-application/processes to execute during installation. After installation, the application will be able to launch under the CSSL rule and not through the trusted source, which is the setup.exe in this case.
Click here to learn how to use the Trusted Source feature.
You may choose to temporarily disable Lockdown rule to allow the software to be installed. This method will trigger inventory scan to target endpoints since it involves re-applying the Lockdown rule after you have successfully installed the software. Follow the Option 2: Remove the Lockdown Rule in KB 1117252 to do this.