Environment
- App Control Agent: All Supported Versions
- Microsoft Windows: All Supported Versions
Objective
How to collect diagnostics for unexpected rule behavior, such as an Execution Block for a file that is specified in an Allow Execute Rule.
Resolution
- For rules that are User/Group specific: Log in as that user for the reproduction. As well, run this command as the user and provide the output to the case
whoami /user /groups > "%userprofile%\Desktop\whoami.txt"
- Launch an administrative command prompt and issue the following commands:
cd "C:\Program Files (x86)\Bit9\Parity Agent"
dascli password GlobalCLIPassword
dascli flushlogs
dascli resetcounters
dascli debuglevel 6
dascli kerneltrace 5 -1 (Note: Space between the 5 and the dash -)
dascli setconfigprop kernelVerboseLogPattern=*<filenameorpathhere>* (Example: dascli setconfigprop kernelVerboseLogPattern=*blocked.dll*)
sc control parity 128
- Reproduce the issue being reported.
- Capture the logs and reduce the logging levels:
dascli capture "%userprofile%\Desktop\%computername%.zip"
dascli password GlobalCLIPassword
dascli debuglevel 0
dascli kerneltrace 2
dascli setconfigprop kernelVerboseLogPattern=""
- Collect a CSV export of the Events reported by the Agent to in the Console by going to: Reports > Events.
- Set the Saved View & Group By to (none)
- Set the Max Age accordingly.
- Be sure the Columns: Installer, Process, Rule Name, and User are included in the Columns.
- Set the Filter to the relevant Source (Computer).
- Click Export to CSV.
- Provide a full screenshot of the entire Custom Rule, including all fields/sections.
- Upload all data collected to the Vault.
Additional Notes
- The Windows command sc control parity 128 works in combination with the higher debug levels to log more data and provide insight as to why the rule isn't expanding.
- If the issue cannot be reproduced this level of detail will not provide the insight required and a separate process for capturing diagnostic information may be required.
Related Content