en-US
search-icon

Content Filtering Client 3.1 Getting Started Guide

Enabling a Blocked Process

When you run diagnostics from your Client dashboard menu it generates an output. The output includes additional data so the system administrator can determine if the blocked item is actually a valid process and add the exception to the blocked process. In the screen shot below, you can see an example of blocked data.

 
 
Getting process subject names
Pass
C:\Users\test\Downloads\curl.exe
 
C:\Users\test\AppData\Local\Temp\psiphon-tunnel-core.exe
Psiphon Inc.
C:\Users\test\Downloads\psiphon3.exe
Psiphon Inc.
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
Microsoft Corporation

In the output above there were 4 processes blocked.

Curl.exe is an application downloaded to perform a local test, and it is blocked because it is an application (a.k.a: process) running from a non-privileged location. Also, notice that it does not have a Certificate Subject Name (CN) because this application is not digitally signed. If you MUST allow this application then in EPRS you must specify the path c:\users\test\downloads\curl.exe to the application.
Psiphon-tunnel-core.exe and Psiphon3.exe are blocked because they are running from a non-privileged location. This application is digitally signed and hence has a CN=Psiphon Inc. But this application is a proxy application and it helps to bypass Content Filtering solutions. Do not add such applications if they are deemed rogue.
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe is a valid application and is blocked because it is invoked by psiphon3.exe. Since CN=Microsoft Corporation is already in the allowed list, you do not have to do anything to allow it. If you disconnect psiphon3.exe then Edge browser starts working again.

An EPRS policy change is required to add either the CN or the path to an application for it to be allowed. Login to EPRS and select the policy that needs to allow the process. This is available on the advanced tab as shown below.

If the application is digitally signed then the diagnostics report of the CF Client shows the value of CN. Add the CN value under “Authorized Processes – Certificate Subject Name” on the advanced tab of the policy in EPRS.

If the application is NOT digitally signed then the diagnostics report of the CF Client shows the path (location) of the application. Add the full path including the application name under “Authorized Processes – Process Name” on the advanced tab of the policy in EPRS.

 
* 
NOTE: In earlier versions of the CF Client, you can find the path and CN by digging thru the logs in the filter.txt file.

For digitally signed applications, you find the following log with attribute cn=<some value>. For example:

07/15/16 08:47:57 AM FLT[15720:9844] Debug cfe_proc_cache::Find: EXE is trusted, sn='Cisco Systems, Inc.'

Add the value of attribute cn= in the EPRS policy.

For applications that are not digitally signed, you find the following log contains the path to the application. You can use wild card when you specify the path in EPRS policy.

07/15/16 07:44:40 PM FLT[2604:3716] Debug cfe_proc_cache::Find: EXE is not trusted

07/15/16 07:44:40 PM FLT[2604:3716] Debug cfe_proc_cache::Find: fell through - not authorized

07/15/16 07:44:40 PM FLT[2604:3716] Debug Process 'C:\Users\Ramesh\AppData\Local\CiscoSparkLauncher\2.0.2466.0_3719b98b-b0f6-46f4-ae41-3abedfbff45b\SparkWindows.exe' is not authorized

For example, the path:

'C:\Users\Ramesh\AppData\Local\CiscoSparkLauncher\2.0.2466.0_3719b98b-b0f6-46f4-ae41-3abedfbff45b\SparkWindows.exe'

Can be specified in EPRS as:

'C:\Users\*\AppData\Local\CiscoSparkLauncher\*\SparkWindows.exe'