We have been struggling with Endpoint Protection for some time now. I would like to hear other MSPs views on the product. The main issues we have are:
Many places that “could be” stopping an app from running.
There is no place on the client that indicates that a new profile update has been received so it is difficult to troubleshoot whether or not changing a profile as worked unless you dig into the settings of the client to verify the settings have changed.
logging for containment and other blocking is inaccurate. Usually this bites us when an application spawns another process that doesn’t have a UI. The process could be contained (or killed as a shellcode injection) and the user would never know. There doesn’t seem to be a place in the UI that logs all the blocking. The event viewer doesn’t even have all of the blocking logs
When ITSM updates the profile it overrides whether the a system is temporarily disabled. For instance if I disable Auto-containment for 15 minutes and ITSM updates auto-containment is turned back on. This is very frustrating.
For the developers I can explain the workflow that is causing difficulty:
Call from client comes in saying an application doesn’t work.
Basic debugging steps commence. We generally try to disable the components one by one to see which is the culprit. Often times Issue #4 from above crops up and it becomes frustrating to debug.
For this example lets say that turning off firewall, autocontainment and virus scope have allowed an application to run. We then look at the event viewer to see what application is causing the block. Lets say it is “anyapp.exe”. We create an exception for “anyapp.exe” in a file group, apply the file group to the policy and reapply the policy to the endpoint.
usually what happens is that we discover that the program still doesn’t run because either process spawned by anyapp.exe is now blocked or a second system say Virus scope is now blocking the application. This can lead to repeating step 3 many times and it becomes extremely frustrating for the customer and the technician. As you might guess this leads to sub-systems just being disabled because it is too difficult to manage.
My questions are:
Has anybody found a good workflow to effectively put exceptions in place without creating huge security holes?
Is there anyway that we can create the exceptions on a client so that we can create a baseline, export the config from the local client and import the changes into an ITSM profile? It would save a lot of time debugging and reapplying profiles
This is for the dev team. Is there any way to apply a file group exception to all security systems? Right now we have to apply exclusions to Containment, HIPS, Antivirus, shellcode injections and Firewall. It is extremely cumbersome and error prone. The logging is also very difficult to parse for a human. So debugging exclusions becomes very time consuming
Are we missing something here? Are we the only ones having these issues or are other IT companies having these problems? If others have solutions I would appreciate some feedback.
@easterntech50 Sounds like you need to have a chat with L2 support for them to guide you through managing Comodo Client Security efficiently.
To answer point 2, this is managed via the ITSM console, and for point 4, I stop the ITSMService before disabling any modules on CCS, if I need to install a software package which, due to scripts etc, CCS will interfere with.
I have around 700 endpoints protected by Comodo Client Security and the ITSM solution is improving massively with each release
We understand that you need some help concerning the Client Security and we want to ensure we assist you by all means possible to make it work for you efficiently. We will create a support ticket and contact you via email for addressing the issues that would be most convenient for you. Please respond to our email once you have received it. Support will get in touch with you shortly for details.
Hi Joshua,
We’ve already touched on the issues in our meeting and I hope you are handling them. I want to add the solutions we discussed in here also:
1-ITSM provides the information of if a profile is applied to an endpoint under Device Details->Associated Profiles section. You can check this wiki for more details : https://wiki.comodo.com/frontend/web/topic/how-to-check-the-current-state-of-association-of-a-profile-at-the-endpoint . We have this feature in our roadmap for the client side. We will update you when there are new improvements.
2-We will provide the ability to view the parent process of a blocked process/application in 2018-Q2. Once we release it, you will be able to track the blocked application and to add an exclusion rule for its parent process.
3- The feature of preventing the profile from overriding the temporary changes on CCS is already in our roadmap and we are working on it. We will update you when there are new improvements.
4-To whitelist an application, you can go with File Group variables and create exclusion rules based on the group want on each component. For more information, you can check this wiki : https://wiki.comodo.com/frontend/web/topic/how-to-white-list-files-based-on-file-group
5-For baselining of unrecognized files, you can use Baselining options under Profiles->Containment->Baselining. It will disable auto-containment until the selected condition is met.
For Firewall, you can enable it in Training Mode. In this mode, Firewall monitors network traffic and create automatic allow rules for all new applications until the security level is adjusted. The same option is supported for HIPS. Once you enable it in Training Mode, HIPS monitors and learn the activity of any and all executables and create automatic ‘Allow’ rules until the security level is adjusted. We advise that you are 100% sure that all applications and executables installed on the endpoints are safe to run under this configuration.
Please let us know if you have any issues.
Regards