Detection False-Positive May Occur Due to IPS (Intrusion Prevention Systems)

Version 2

    Symptoms

     

    You notice a patch or patches detected as missing in Protect, but failing to install. Manually running the patch throws a 'not applicable to this computer' message.

     

    AND

     

    Protect's scan log (HF.log) shows the following type of message in logging of file detection for the patch:

    2014-10-30T17:54:10.2601591Z 0698 W PatchTest.cpp:1235 Unable to open file '\\1.1.1.1\C$\Program Files\FOLDER\file.DLL': 64.

    2014-10-30T17:54:10.2757841Z 0698 V PatchTest.cpp:1272 File '\\1.1.1.1\C$\Program Files\FOLDER\file.DLL' error: 5.

     

    Cause

     

    The error 5 indicates that access is denied. Because Protect cannot read the file, it reports the patch as missing since the version of the file cannot be confirmed.

     

    A security device or software such as an IPS (Intrustion Prevention System) is preventing access to a file or files that Protect needs to be able to read to determine if a patch is considered missing or installed.

     

    Another possibility is that the account performing the scan does not have access to the file(s). Ensure that permissions to specific files/folders has not been limited for the account.

     

    Resolution

     

    Ensure that you are meeting all Scanning Prerequisites.

     

    Investigate the access issue with your security team to ensure the access to systems or files is not being blocked. Change any rules within your security software or devices to allow access from the Protect console system to read all files on all machines being scanned.

     

    Additional Information

     

    Solution Center for Access Denied Error Messages

     

    Affected Product(s)

     

    Shavlik Protect 9.x