Determining which policy is applying applied to a process is useful when trying to diagnose diagnosing whether or not a policy is being applied correctly. Below are steps for the Arellia Management Server and Symantec Management Agent using Arellia 7.5 Application Control Agents.
Arellia Management Server
...
To determine which policy is applied, do the following steps:
- Open the Arellia Agent Logs (for details, go to Viewing the Agent Logs).
- If a policy is being applied to a process, then:
- The log message will read – "Policy {F289D632-9665-40B0-BC19-0FE8A899A107} (priority 45) applies to process 3468 via Process 3468 (C:\Location\NameOfApplication.exe) Source: CASMonitor Module: ArelliaACSvc.exe Exe: ArelliaACSvc.exe."
- You can look up the policy in the Security Manager Console by using the GUID from the log message like so: http://NameOfServer/Ams/SecurityManager#/Policies/f289d632-9665-40b0-bc19-0fe8a899a107
- If a policy does NOT apply not apply the log message will read - : "No policies applies to process 2028 (C:\Location\NameOfApplication.exe) Source: CASMonitor Module: ArelliaACSvc.exe Exe: ArelliaACSvc.exe"
- You can look up the exact policy that is catching an application by navigating to http://NameOfServer/Ams/SecurityManager#/Policies/f289d632-9665-40b0-bc19-0fe8a899a107
- where after "policies/" is the GUID of the Policy that applied to a certain process.
Symantec Management Agent
- Logs for Arellia Application Control can be found in these locations.
- Using a Symantec Log Viewer the messages for whether or not a policy is applying to a process or not are the same as above.."