Could you please share the service log(s) of the affected session(s) and elaborate on which software you're using exactly?

Portable software can bypass prohibitions. I tried blocking it by name and process, but it didn't work.


Seb Service still active:

AnyDesk (3).exe.zip
This is log zips:
Logs.zip

It appears that you're using kiosk mode Disable Explorer Shell. By default and especially when experiencing issues with screen recordings or remote sessions, we recommend using Create New Desktop.

With respect to the logs resp. portable application: Could you please specify which session / logs in particular recorded the issue? Apart from that, do make sure that you've configured the prohibited application correctly (e.g. AnyDesk (3).exe and not just AnyDesk.exe).

@dbuechel Thank you for your feedback.
These are the specific log files:
2024-10-20_12h10m41s_Browser.log
2024-10-20_12h10m41s_Client.log
2024-10-20_12h10m41s_Runtime.log
2024-10-20_12h10m41s_Service.log

Previously, we also used the Create New Desktop mode, but it still didn't prevent remote desktop access, so we experimented with the Disable Explorer Shell mode, but it still didn't block it.

I think AnyDesk (3).exe and AnyDesk.exe are not the issue because AnyDesk (3).exe is a portable app, and users can simply rename it to bypass the prohibition

The only issue I can see in that particular session is that SEB appears to have some trouble terminating the following prohibited applications (though they appear to be terminated successfully in the end):

2024-10-20 12:11:07.815 [18] - WARNING: [ApplicationMonitor] Process 'Zalo.exe' (4692) belongs to blacklisted application 'Zalo.exe'!
2024-10-20 12:11:07.816 [18] - DEBUG: [Process 'Zalo.exe' (4692)] Attempting to close process...
2024-10-20 12:11:07.819 [18] - WARNING: [Process 'Zalo.exe' (4692)] Failed to send close message to main window!
[...]
2024-10-20 12:11:08.352 [18] - WARNING: [ApplicationMonitor] Process 'msedge.exe' (4548) belongs to blacklisted application 'msedge.exe'!
2024-10-20 12:11:08.352 [18] - DEBUG: [Process 'msedge.exe' (4548)] Attempting to close process...
2024-10-20 12:11:08.356 [18] - WARNING: [Process 'msedge.exe' (4548)] Failed to send close message to main window!

And with respect to the portable executable, SEB needs to know at least one of the following aspects of a prohibited application, otherwise it cannot attempt to terminate it: Executable name, original name of the executable and signature of the executable.

Portable files can be modified, making them difficult to identify. Do you have any solutions for this issue?

Can you guide me on the location for digital signature validation? If not, I suggest adding this feature.

Do you have any solutions for this issue?

Unfortunately not, because as you said, the files can easily be altered resp. renamed.

We already verify the signature for permitted applications (see Applications > Signature), but cannot use it for prohibited applications because SEB would then try to terminate all applications which have been signed with the same certificate (which in the case of e.g. Microsoft would most definitely lead to a system crash, if not worse).

This issue is stale because it has been open for 28 days with no activity. It will soon be closed automatically if there are no updates.