We have been struggling with Endpoint Protection for some time now. I would like to hear other MSPs views on the product. The main issues we have are:
- Many places that “could be” stopping an app from running.
- There is no place on the client that indicates that a new profile update has been received so it is difficult to troubleshoot whether or not changing a profile as worked unless you dig into the settings of the client to verify the settings have changed.
- logging for containment and other blocking is inaccurate. Usually this bites us when an application spawns another process that doesn’t have a UI. The process could be contained (or killed as a shellcode injection) and the user would never know. There doesn’t seem to be a place in the UI that logs all the blocking. The event viewer doesn’t even have all of the blocking logs
- When ITSM updates the profile it overrides whether the a system is temporarily disabled. For instance if I disable Auto-containment for 15 minutes and ITSM updates auto-containment is turned back on. This is very frustrating.
For the developers I can explain the workflow that is causing difficulty:
- Call from client comes in saying an application doesn’t work.
- Basic debugging steps commence. We generally try to disable the components one by one to see which is the culprit. Often times Issue #4 from above crops up and it becomes frustrating to debug.
- For this example lets say that turning off firewall, autocontainment and virus scope have allowed an application to run. We then look at the event viewer to see what application is causing the block. Lets say it is “anyapp.exe”. We create an exception for “anyapp.exe” in a file group, apply the file group to the policy and reapply the policy to the endpoint.
- usually what happens is that we discover that the program still doesn’t run because either process spawned by anyapp.exe is now blocked or a second system say Virus scope is now blocking the application. This can lead to repeating step 3 many times and it becomes extremely frustrating for the customer and the technician. As you might guess this leads to sub-systems just being disabled because it is too difficult to manage.
My questions are:
- Has anybody found a good workflow to effectively put exceptions in place without creating huge security holes?
- Is there anyway that we can create the exceptions on a client so that we can create a baseline, export the config from the local client and import the changes into an ITSM profile? It would save a lot of time debugging and reapplying profiles
- This is for the dev team. Is there any way to apply a file group exception to all security systems? Right now we have to apply exclusions to Containment, HIPS, Antivirus, shellcode injections and Firewall. It is extremely cumbersome and error prone. The logging is also very difficult to parse for a human. So debugging exclusions becomes very time consuming
- Are we missing something here? Are we the only ones having these issues or are other IT companies having these problems? If others have solutions I would appreciate some feedback.