1 Reply Latest reply on Apr 24, 2020 1:58 PM by Steve Gibbs

    Testing "Whitelist" Op Rule Step (v12.9.0.2)

    Steve Gibbs
      Share This:

      Good day all,

       

      I will be testing the Op Rule Step "Whitelist" and wanted to see if anyone else has either tested already or is using this step in a production environment.  Here is what I will attempt to try:

       

      • Using Direct Access > Process Management - I Saved View CSV file
      • Removed all but the first column and removed duplicates
      • Copied the first column and pasted into notepad
      • Used that data and saved to local test device

       

      Before I apply and assign to device I am asking if I may be shooting myself in the foot here... Did I add too many items to the list below? Any input would be greatly appreciated.

       

      Whitelist.txt

      Dwm.exe
      Explorer.EXE
      LogonUI.exe
      Tomcat8.exe
      Tomcat8w.exe
      VGAuthService.exe
      conhost.exe
      csrss.exe
      dllhost.exe
      fdhost.exe
      fdlauncher.exe
      jusched.exe
      lsass.exe
      lsm.exe
      msdtc.exe
      mtxagent.exe
      mtxdaproxy.exe
      mtxopswatproxy.exe
      rdpclip.exe
      service.exe
      services.exe
      smss.exe
      spoolsv.exe
      sqlbrowser.exe
      sqlservr.exe
      sqlwriter.exe
      svchost.exe
      taskhost.exe
      unsecapp.exe
      vmacthlp.exe
      vmtoolsd.exe
      vmtoolsd.exe
      wa_3rd_party_host_32.exe
      wininit.exe
      winlogon.exe
      winlogon.exe
      wmiprvse.exe

       

       

       

       

       

       

       

       

       

        • 1. Re: Testing "Whitelist" Op Rule Step (v12.9.0.2)
          Steve Gibbs

          Follow up:

           

          I assigned Op Rule Step and it does work and it does not blow up my device. I did include a lot of processes that are default processes but better safe than sorry.

           

          I first set the option to run every 600 seconds from the default value of 30 seconds in the step GUI. I set it to run just once.  It worked and closed apps that were not on the list in the text file. I later discovered that the rule is removed automatically from the timer.

           

          I learned that the rule needs to run on a regular schedule, I set every 5 minutes and limited to 10 executions during my testing. It was sporadic in when it would kill the process. Sometimes it ran for up to 5 minutes even though I set it to check every 30 seconds. in later tests.

           

          I suggest that it be tested thoroughly because even though I added a domain user to be excluded, it still killed the process.  I used domain\username the first test and when reviewing the task manager list, user was listed without domain.  I tested by launching notepad and ran as different user and for some reason, it still killed that notepad and I was hoping it would not.

           

          Here are the log entries:

          Log Entries

          20/04/24 12:36:10 OperationalRules                 I   [2872] Set RunPhase for rule Gibbs003-Whitelist

          2020/04/24 12:36:10 OperationalRules                 I   [2872] OpStep executing processwhitelist.chl

          2020/04/24 12:36:11 OperationalRules                 I   [2872] Compiling C:/Program Files/BMC Software/Client Management/Client/data/OperationalRules/scripts/processwhitelist/a61187763dd39bef6ac719d962c3d889/processwhitelist.chl

          2020/04/24 12:36:11 OperationalRules                 I   [3960] Sending status _STATUS_EXECUTEDOK_ for Rule Gibbs003-Whitelist

          2020/04/24 12:36:11 OperationalRules                 I   [2872] Script C:/Program Files/BMC Software/Client Management/Client/data/OperationalRules/scripts/processwhitelist/a61187763dd39bef6ac719d962c3d889/processwhitelist.chl returned 0

          2020/04/24 12:36:11 OperationalRules                 I   [2872] Reset steps status for rule Gibbs003-Whitelist

          2020/04/24 12:36:11 AsynchronousActions              I   [2948] Queuing action V64DbOpRuleSetStatus (OpRule Gibbs003-Whitelist for device AGENT_87D7D39D1532464945B741A0F8D2C599: status is _STATUS_EXECUTEDOK_) to call on device 'MASTER'

          2020/04/24 12:36:11 AsynchronousActions              I   [4488] Propagating call of action V64DbOpRuleSetStatus (OpRule Gibbs003-Whitelist for device AGENT_87D7D39D1532464945B741A0F8D2C599: status is _STATUS_EXECUTEDOK_) to host '0001CE1CC46B5C475EC4F757A8E2DFE7049B' (url: '10.9.1.21:1610')

          2020/04/24 12:36:11 Timer                            I   [2872] No need to echo 'OperationalRules_Gibbs003-Whitelist_7520083322860C6E7D79595193580129'

          2020/04/24 12:36:11 Timer                            I   [2872] Deactivating 'OperationalRules_Gibbs003-Whitelist_7520083322860C6E7D79595193580129' (count to deactivation)

          2020/04/24 12:36:12 Timer                            I   [2872] Removing 'OperationalRules_Gibbs003-Whitelist_7520083322860C6E7D79595193580129' (remove once disabled)

           

          So now you have more info if you wish to use either Black List or While List steps.

           

          Steve