Not selecting sigflags value for a sandbox execution options list of services
that may not run results in Q01 service flag sigflags attribute being dropped
from minus file.

1. Create a 6.0 policy with strategy=basic
2. Edit the policy
3. Click Advanced option
4. Under Advanced Policy Settings, click Sandboxes
5. Scroll down to the "Fully Open Sandbox" and click Edit
6. Under Sandbox Execution Options, check the Edit box next to "Programs the
Fully Open Services may not run" and click Edit
7. Click Add
8. Enter C:\test.exe for Program Path
9. Leave Signature Flag blank
10. Enter NoRunRuleName for Rule Name
11. Click OK
12. Save the policy
13. Apply the policy to an agent

Expected Result:

Minus file should contain sigflags value containing value for service flag (Q01)

Actual result:

sigflags attribute is missing:

    <psetdef name="fullopen_ps">
      <usebcd bcd="sym_win_prot_fullopen_bcd"/>
      <create log="off" profile="off"/>
      <assign cmdline="on" log="on" profile="off" severity="I"/>
      <destroy log="off" profile="off"/>
      <execute log="off" profile="off" response="allow"/>
      <newproc>
        <map pset="deny_ps" ruleid="e.NoRunRuleName">
          <attr string="\??\C:\test.exe" type="path"/>
        </map>

 

Below is the corresponding portion of the Minus file where the sigflags=Q01
entry is missing:

   <string id="1536" type="path" value="\??\C:\test.exe"/>

    <psetdef name="fullopen_ps">
      <usebcd bcd="sym_win_prot_fullopen_bcd"/>
      <create log="off" profile="off"/>
      <assign cmdline="on" log="on" profile="off" severity="I"/>
      <destroy log="off" profile="off"/>
      <execute log="off" profile="off" response="allow"/>
      <newproc>
        <map pset="deny_ps" ruleid="e.NoRunRuleName">
          <attr string="1536" type="path"/>   ---> sigflags attribute is missing
        </map>

This is still an open Deffect and we will update this KB once we have a work around or a solution for this issue.