You deploy an Intrusion Prevention policy that was tested on a client machine that has User Access Control (UAC) disabled to the host that has (UAC) activated.
You observe that after accepting the UAC popup, the protected resource is no longer blocked.
SES CSP 7.0 MP1 installed on Windows 7 Professional SP1 with User Access Control (UAC) set to the default - Notify me only when programs try to make changes to my computer:
When a desktop user launches a Windows Application such as regedit.exe, the parent process is modified by the UAC from explorer.exe to svchost.exe. The protection rule configured in the Windows Default Services sandbox is not sufficient to protect the child process started by svchost.exe
Modify the prevention policy and add an extra rule for the NETSVC sandbox in order to block regedit.exe from starting.
Subscribing will provide email updates when this Article is updated. Login is required.