App Control: Analyzing Execution Blocks With OneDrive

App Control: Analyzing Execution Blocks With OneDrive

Environment

  • App Control Agent:  Versions 8.1 and Higher
  • App Control Console: All Supported Versions

Symptoms

  • Still analyzing blocks for OneDrive

Cause

  • Known issue where Microsoft OneDrive application binaries are blocked, agent unable to analyze

Resolution

  •    Add below file exclusion as a workaround to resolve the blocks.
  1. Log into the console and navigate to the Agent Config page:
  2. https://<servername>/agent_config.php
  3. Click on + Add Agent Config button
  4. Property Name: Workaround EP-11127 OneDrive Issue
  5. Host ID: 0
  6. Value: kernelFileOpExclusions=*\appdata\local\microsoft\onedrive\*.dll:2097151
  7. Status: enabled
  8. Click Save

Additional Notes

  • As of writing this is slated to be addressed in Agent version 8.7.0.
  • Kernel exclusions (kernelProcessExclusions / kernelFileOpExclusions) are configuration rules applied to the App Control driver component which executes in kernel space. They are used to exclude specific operations processed by the driver by either file type or procedure. Kernel exclusions are ordinarily used for reasons of performance or interoperability with other program.
  • The exclusion above will tell the Agent to ignore .dll files in the \appdata\local\microsoft\onedrive\* directory.

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎07-29-2021
Views:
64
Contributors