After analyzing the release notes of RES WM 2011 SR2/SR3, we decided to upgrade our customer site from RES WM SR1. As usual the upgrade went very smooth and seemed like a walk in the park.
A couple of days after the upgrade to SR3 we suddenly received a lot of support calls regarding blocked applications. We noticed that the AppGuard log was full of processes being blocked. This was quite strange because no new applications were deployed in the last couple of weeks.
Prior to SR2 the authorized process name field could only contain 15 characters. A long filename like “LongProcessName.exe” was registered as “LongProcessName”. No options were available to change this.
We noticed that all the blocked processes were now being blocked using their full name, “LongProcessName.exe”. When we authorized this process or added an asterix (*) to the current AppGuard entry, everything was back in working order.
After some investigation by RES Support we were informed that the AppGuard Driver, which is mainly responsible for the Security Management has been redesigned in SR2. The positive side of the redesign is a more efficient process. The “negative side” (during an upgrade) is the process name field can now contain the full process “LongProcessName.exe”. And because the process “LongProcessName” was authorized to start Explorer.exe, but not “LongProcessName.exe” applications failed to start.
As mentioned before we added an astrix (*) to the process name within SR2,as a quick workaround:
The correct way would be to use the full process name, but it could take some time to find all exact and correct process names.
The issue is reported to Res Support and they made it clear that this would be passed on to their R&D department.