Versions Compared

Old Version 8

changes.mady.by.user Mike Murphy

Saved on

compared with

New Version 9

changes.mady.by.user Mike Murphy

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Problem

A manually created blacklisting or deny execute policy that has no application targets will apply to all programs and services and prevent them from running on an end-user's machine. If a new deny execute policy is created and enabled with out limiting the application target scope of the policy or is not being used with a proper whitelist, the bad blacklist policy will get rolled out and begin denying execution of all applications. This include userinit.exe which will prevent users from logging in after a reboot. Those computers will act as if they are frozen because no new processes can get created.

Solution

  1. First login to the Arellia Management Console on the Server and disable the bad Blacklisting Policy.
  2. After the policy has been disabled, each of the endpoints need to do a configuration update so they remove the bad policy.
    1. The easiest way to do this is to run an Update Client Configuration task on each of the endpoints. To do this, simply create a new Update Client Configuration Task to run ASAP and schedule it to run now on all machines, or on machines that are known to have the bad blacklist.
    2. Alternatively, you can do it manually by following these steps:
      1. Restart the computer that has been effected by the Blacklisting Policy in Safe mode.
      2. Open the Administrator Tools in the Control Panel and then Services.
      3. Find Arellia Application Control, right click and select Properties.
      4. Change the Startup Type to Disabled, Click OK and restart the computer.
      5. After restarting the computer right click on the Symantec Management Agent icon in the taskbar and select Symantec Management Agent Settings and then click Update to update your policy.
      6. You should now be able to open all the programs and services that were previously blacklisted.
      7. Open Services again from the Control Panel and change the Arellia Application Control Startup Type to Automatic.
  3. Restart the endpoints. After the endpoints have been restarted everything should work normally.

...

Issue

This document tells you how to recover computers that have been locked out due to an improper manually created deny execute policy.

Solution

1. Disable the policy

Disable the manually created deny execute policy that has resulted in locking out computers.

2. Update affected computers

You can update affected computers by running a task via the Arellia Security Manager Console, or by manually restarting the affected computer(s).

Run a task

If you're still able to log into the affected computer, then you can run a task from the Security Manager Console to update the computer by doing the following steps:

  1. Click the Tasks tab.
  2. In the file library in the left pane, navigate to Jobs and Tasks > Client Tasks.
  3. Click Update Applicable Policies.
  4. In the right pane under Task Status, click Run Now.
  5. In the Run Task Now dialog box under Input Parameters, next to ResourceIds target all computers or only the affected computers.
  6. Click Run Task.

Perform a configuration update on each of the affected endpoints by creating a new Update Client Configuration Task and schedule it to run immediately on all computers, or on the computers that are known to have been affected by the deny execute policy.

Manual Update

If you cannot log into the affected computer, then you have to update the computer manually by doing the following steps:

  1. Restart the affected computer(s) in safe mode. (For details about starting in safe mode, go to Start your computer in safe mode.)
  2. In the Control Panel open Administrator Tools > Services
  3. Right-click Arellia Application Control and click Properties
  4. Change the Startup Type to Disabled 
  5. Click OK

  6. Restart the computer. 

  7. Go to the Control Panel again and open Administrator Tools > Services.
  8. Change the Arellia Application Control Startup Type to Automatic

More information on how to configure blacklisting policies

Additional Info

A manually created blacklisting or deny execute policy that has no application targets will apply to all programs and services and prevent them from running on an end-user's machine. If a new deny execute policy is created and enabled with out limiting the application target scope of the policy or is not being used with a proper whitelist, the bad blacklist policy will get rolled out and begin denying execution of all applications. This includes userinit.exe which will prevent users from logging in after a reboot. Those computers will act as if they are frozen because no new processes can get created.