In follow up to this thread, I need assistance on the following:
Process Modification Allowed for (W3WP.EXE) on (SYSTEM).
In DCS this cannot be whitelisted event though you use the Wizard to whitelist. the target process name is SYSTEM. no matter how many times you whitelist it keeps popping as block. the performance of the system is very slow - even throuh it is not affecting the function of the process of IIS. when the policy is in audit then the performance is fast and the Process Modification Allowed for W3WP.EXE on (SYSTEM) event disappears- which means this events is not captured in audit .
There is another issue on DCS 6.5 MP1
When you create a policy 6.0.0 there no remote_file_ps.
events triggered -- cannot be whitelisted, as there is no remote_file_ps. which is strange - i looked back on older policy versions there is a remote_file_ps. but the new policy version does not have remote_file_ps process set.Description File Read Denied for LanManager on z:\xyz\zzz\xxxx\TEST.txt
Policy Name DIPS-DB-UAT-INTNP(BLOCK)Internal Rule Data Protection No Access
Process LanManager
File Name z:\xyz\zzz\xxxx\TEST.txt
Agent State Default Policy Rule Processed
Disposition Denied
Sandbox remote_file_ps
Operation IoCreateFile
OS Result 00000000 (SUCCESS)
SDCSS Result C0000022 (ACCESS_DENIED)
Permissions Requested 00100080 (synch, read_attr)
Process ID yyy
Thread ID zzz
Process Signature Unsigned (00000000)
Module Signature Unsigned (00000000)