Jump to content

Recommended Posts

How do I prevent the Immunet system process protection engine from blocking access to a process by another process that I want to allow?  Several times each day Immunet reports: Warning! Process Blocked. The System Process Protection engine prevented unexpected access to (some-exe).exe (PID nnn) by (some-other-exe).exe (PID nnnn)

Share this post


Link to post
Share on other sites

we notify and block the process which try to access protected processes ( Winlogon.exe ,lsass.exe, etc.). Once the SPP rule is triggered, the notification is reported on couple of conditions and one them is when “process is not clean and not signed. “

 

You can try to add the exception to that file path in the settings, and turn off 'blocking mode" to see if that fixes anything for the better.
Though realistically, it shouldn't prevent you from accessing the exe file at all, just that for whatever reason that program is trying to access something else

Share this post


Link to post
Share on other sites

In my case some-exe is Isass.exe.  I should have said: blocking mode is off, I added an exception for some-other-exe in the settings, and I re-started the Immunet service, but the blocking action continued after this.  A 3rd party service yet-another-exe starts some-other-exe in the background from time to time.  After your reply I added another exception for yet-another-exe in the settings, and re-started the Immunet service again, but the blocking continued after this, also.  Are there some blocking actions that cannot be prevented or is there always some way to prevent a blocking action?  How can I tell if an exe is not clean or not signed?

Share this post


Link to post
Share on other sites

if you are referring to the 'blocking' notification, Immunet has been doing that since the previous version, it just never notified the user before (that was added in the latest version).
Which, at this time there is no way to turn off that notification, but I can put a request in to the dev team to do that.

https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service

in regards to the lsass.exe is above. (make sure that it is the correct lsass.exe) coming from the correct paths.

 

to make sure a file is clean, just scan it. To see if it is signed: https://docs.microsoft.com/en-us/windows/desktop/seccrypto/using-signtool-to-verify-a-file-signature

 

 

Share this post


Link to post
Share on other sites

I have blocking mode turned off, but the notification message makes me think Immunet is blocking this particular action, is that right, or can I ignore the notification?

If it is blocking can I stop it?  My actual message is:

Warning! Process Blocked. The System Process Protection engine prevented unexpected access to lsass.exe (PID nnn) by printservice.exe (PID nnnn)

printservice.exe is a file I know about it is part of an application suite, it is started from time to time by a Windows service whose executable is named autoprintservice.exe that is part of the same application suite.  I scanned both files and they are clean.  I have SignTool on another PC so I copied the two files to that PC and SignTool reports that neither file is signed.

Share this post


Link to post
Share on other sites

That has always happened (since 6.0.8, it is just saying that the process is trying to access a protected process). Now, the notifications are shown in 6.2 as they weren't before, you can ignore it.

Share this post


Link to post
Share on other sites

Given that my application's process printservice.exe is only ever launched by my application's service autoprintservice.exe, is there a way I can stop Immunet blocking printservice.exe's access to lsass.exe?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×