Process Blocked

[colinp]

How do I prevent the Immunet system process protection engine from blocking access to a process by another process that I want to allow?  Several times each day Immunet reports: Warning! Process Blocked. The System Process Protection engine prevented unexpected access to (some-exe).exe (PID nnn) by (some-other-exe).exe (PID nnnn)

[Guest Wookiee]

we notify and block the process which try to access protected processes ( Winlogon.exe ,lsass.exe, etc.). Once the SPP rule is triggered, the notification is reported on couple of conditions and one them is when “process is not clean and not signed. “

 

You can try to add the exception to that file path in the settings, and turn off 'blocking mode" to see if that fixes anything for the better.
Though realistically, it shouldn't prevent you from accessing the exe file at all, just that for whatever reason that program is trying to access something else

[colinp]

In my case some-exe is Isass.exe.  I should have said: blocking mode is off, I added an exception for some-other-exe in the settings, and I re-started the Immunet service, but the blocking action continued after this.  A 3rd party service yet-another-exe starts some-other-exe in the background from time to time.  After your reply I added another exception for yet-another-exe in the settings, and re-started the Immunet service again, but the blocking continued after this, also.  Are there some blocking actions that cannot be prevented or is there always some way to prevent a blocking action?  How can I tell if an exe is not clean or not signed?

[Guest Wookiee]

if you are referring to the 'blocking' notification, Immunet has been doing that since the previous version, it just never notified the user before (that was added in the latest version).
Which, at this time there is no way to turn off that notification, but I can put a request in to the dev team to do that.

https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service

in regards to the lsass.exe is above. (make sure that it is the correct lsass.exe) coming from the correct paths.

 

to make sure a file is clean, just scan it. To see if it is signed: https://docs.microsoft.com/en-us/windows/desktop/seccrypto/using-signtool-to-verify-a-file-signature

 

 

[colinp]

I have blocking mode turned off, but the notification message makes me think Immunet is blocking this particular action, is that right, or can I ignore the notification?

If it is blocking can I stop it?  My actual message is:

Warning! Process Blocked. The System Process Protection engine prevented unexpected access to lsass.exe (PID nnn) by printservice.exe (PID nnnn)

printservice.exe is a file I know about it is part of an application suite, it is started from time to time by a Windows service whose executable is named autoprintservice.exe that is part of the same application suite.  I scanned both files and they are clean.  I have SignTool on another PC so I copied the two files to that PC and SignTool reports that neither file is signed.

[Guest Wookiee]

That has always happened (since 6.0.8, it is just saying that the process is trying to access a protected process). Now, the notifications are shown in 6.2 as they weren't before, you can ignore it.

[colinp]

Is the process blocked?

[Guest Wookiee]

It blocks the process from accessing protected services, but if you were to launch the process, then no.

[colinp]

Given that my application's process printservice.exe is only ever launched by my application's service autoprintservice.exe, is there a way I can stop Immunet blocking printservice.exe's access to lsass.exe?

[Guest Wookiee]

Is it hindering you from printing?

[colinp]

No, but it is putting messages on my server's screen that I don't want to see.  Can I switch off messages for this particular event, somehow?

[italy1]

someone mentioned about  phone number is there a staff member who a phone?