Hi Everyone,
I noticed an event in DCS where something was assigned to deny_ps. What causes a process to be assigned to the deny_ps sandbox? Also if prevention were enabled, can I assume this activity would have been blocked? See sample event below. Thank you.
SOURCE
Agent Name xxxxxxx
Host Name xxxxxxx
Host IP Address xxxxxx
User Name xxxxxx
Agent Version 6.0.0.380
OS Type Windows
OS Version XP Service Pack 2
Agent Type CSP Native Agent
EVENT
Event Type Process Assignment
Event Category Real Time - Prevention
Operation create
Event Severity Warning
Event Priority 45
Acknowledgement Status false
Event Date 21-Oct-2014 14:07:28 CDT
Post Date 21-Oct-2014 14:09:04 CDT
Post Delay 00:01:36
Event Count 1
Event ID 1878824
DETAILS
Description Process Assignment for NET.EXE to deny_ps
Policy Name xxxxxxxx
Process C:\WINDOWS\SYSTEM32\NET.EXE
Parent Process C:\WINDOWS\SYSTEM32\CMD.EXE
Module Path C:\WINDOWS\SYSTEM32\CMD.EXE
Agent State Prevention Globally Disabled, Default Policy Rule Processed
Sandbox deny_ps
Operation create
Process ID 2652
Thread ID 2648
Parent PID 1552
Arguments net use q: /delete /yes
Process Signature Microsoft OS Component (00039437)
Module Signature Unsigned (00000000)
Parent Process Signature Microsoft OS Component (00039437)