Introduction
This document describes the steps to troubleshoot in Advanced Malware Protection (AMP) for Endpoints when a Windows process starts before System Process Protection (SPP).
Contributed by Nancy Perez and Uriel Torres, Cisco TAC Engineers.
Requirements
Cisco recommends that you have knowledge of these topics:
- Windows OS
- AMP connector's engines
Components Used
The information in this document is based on these software and hardware versions:
- Windows 10 device
- AMP connector 6.2.9 version
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Limitations
This is a bug that affects the System Process Protection engine when a process starts before the AMP connector CSCvo90440.
Background Information
The AMP for Endpoints System Process Protection engine protects critical Windows system processes from memory injection attacks by other processes.
In order to enable SPP, on the AMP console, navigate to Management > Policies > click on edit in the policy you want to modify > Modes and Engines > System Process Protection, here you can find three options:
- Protect: blocks attacks on critical Windows system processes
- Audit: notify attacks on critical Windows system processes
- Disabled: the engine is not active on this mode
Protected System Processes
The System Process Protection engine protects the next processes:
- Session Manager Subsystem (smss.exe)
- Client/Server Runtime Subsystem (csrss.exe)
- Local Security Authority Subsystem (lsass.exe)
- Windows Logon Application (winlogon.exe)
- Windows Start-up Application (wininit.exe)
When a Windows Service starts before the AMP connector (In versions below the 7.0.5) System Process exclusions are not honored and even if a process is excluded, the SPP engine stops the process and an event is created in the AMP Console, as shown in the image.
Troubleshoot
The workaround of this bug is to delay the Windows service that starts before the AMP service.
The Rosetta Stone application is taken as an example in this document. This application is detected by SPP because it touches the lsass.exe process for authentication purposes.
Steps to delay a Windows service
Step 1. Open services.msc, as shown in the image.
Step 2. Find Rosetta Stone service.
Step 3. Right-click on RosettaStoneDaemon and click on Properties.
The Startup type is configured as Automatic by default which means RossettaStoneDaemon starts automatically in the boot process.
Step 4. Click on the dropdown menu and select Automatic (Delayed Start).
This configuration prevents the RosettaStoneDaemon service starts before the AMP connector.
Step 5. Click on Apply.
Delay the process with the command line
For PowerShell/CMD, the next commands can be used.
Step 1. Execute PowerShell/CMD as Administrator.
Step 2. Execute this command:
sc.exe config RosettaStoneDaemon start= delayed-auto
Note: Rosetta Stone = RosettaStoneDaemon.
In this section, you can replace the application name of RosettaStoneDaemon for the process you want to delay.
Caution: Connector version 7.0.5 and onward already implement a solution for this bug. This workaround is intended for connector versions bellow 7.0.5.