Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Installation of software with Certified Safe Software List (CSSL) Allow Rule are being blocked in Endpoint Application Control (EAC) 2.0

    • Updated:
    • 2 May 2017
    • Product/Version:
    • Endpoint Application Control 2.0
    • Platform:
    • Windows All
Summary

Allowed software via CSSL is being blocked by the Lockdown rule. This can happen if the SHA-1 hash of extracted installation files in the user profile temp folder (e.g. %TEMP%) is neither in CSSL pattern nor in the agent's local inventory scan database.

Blocked application

This prevents the software from being installed, as a result.

The CSSL pattern contains known good application hashes sourced directly from the software vendor. Trend Micro automates the harvesting of all software patches from different vendors into our database, but there are some applications that are done manually. Despite the effort to keep our CSSL pattern up-to-date, it is possible that there are hashes being missed particularly installation files because they vary in terms of SHA-1 hash value and are removed immediately during or after installation of the software.

Details
Public

Use these steps if the blocked installation files are DLLs. Click here to learn more about Blocking Methods.

  1. Log on to Application Control Management Console
  2. Go to Management Policies.
  3. Click the policy that triggers the Lockdown rule to open the Policy Edit screen.
  4. Click the Rules section and enable "Use the more compatible, less feature-rich, user-level blocking method."

    Rules

  5. Click Save to apply and deploy the new settings to the endpoints.

To get the complete list of the applications caught by the Lockdown Rule, it is suggested to enable Log-only mode. Then, run the software installation on an endpoint so that the AC Agent will fetch blocked application incidents to the backend server that you can use to generate SHA-1 Hash List.

  1. Enable the Lockdown rule to perform Log-only mode. Follow KB 1117252 to do this.
     
    You may choose to duplicate the Policy and enable the Log-only mode from there. Then configure the policy to apply to specific endpoint(s) as a test device to run the software installer.
  2. Log on to Application Control Management Console and go to Logs Query page. Select Log type to query as Policy Actions.

    Log type

  3. Select the AND operator to filter the columns with the applicable policy and the rule triggered.

    policy

     
    Add more AND operator or use NOT for a more specific filter result to display only the events of the software installer.
  4. Click the column settings and choose Select columns...

    columns

  5. Deselect all columns leaving only the SHA-1 Hash Value and Full Path selected. Click Save.

    SHA-1 Hash Value

  6. Click Export As and choose CSV or XLSX. Convert the file to .TXT following the steps below:
    1. Edit the file with MS Excel and remove the column names SHA-1 Hash Value and Full Path.

      remove column names

    2. Save the file as Text (MS-DOS)(*.txt).

      save text

    3. Open the text file using Notepad. It should look like the following:

      text file

  7. Create an Allow rule and choose Match using SHA-1 hash values.

    create rule

  8. Click +Add Hash Values and select Import from executable file or ZIP.

    import

  9. Browse to the saved file in Step 6-b to import the hash list to the rule.

    import hash list

  10. Click Rule Options and enable the Full - All SHA-1 hash values in the list. Click Save to apply settings.

    enable

  11. Add this rule to the applicable policy that triggers the Lockdown rule, and run the software installer again to verify if it successfully installs or not.

Assign a MEDIUM Trust Level to the software installer (e.g. setup.exe) to allow sub-application/processes to execute during installation. After installation, the application will be able to launch under the CSSL rule and not through the trusted source, which is the setup.exe in this case.

Click here to learn how to use the Trusted Source feature.

You may choose to temporarily disable Lockdown rule to allow the software to be installed. This method will trigger inventory scan to target endpoints since it involves re-applying the Lockdown rule after you have successfully installed the software. Follow the Option 2: Remove the Lockdown Rule in KB 1117252 to do this.

Disable the AC Agent to prevent it from blocking applications while installing software. To do this, follow KB 1117276.

Premium
Internal
Rating:
Category:
Configure; Troubleshoot
Solution Id:
1117238
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.