Websense endpoint, Stealth <> UI

Greetings, Websense lowers.

As a first post, let me provide some trick for Websense Data Security Endpoint management. Websense Data Security pretty new product from company. (conclusion was made from architecture analysis prospective).

As you may know Endpoint (client version) can be used in two ways.

UI – with an user interface, means tray icon is available for user.

Stealth – kind of hide everything, means no logs (assume user isn't able to look through crazy debug file) , no pop-ups, and etc...

Stealth mode is very good sometimes, but in real production brings more question than UI.

There aren't options: temporary disable blocking, versions check, profile info, server info.... even trouble-shooting is kind of headache.

From first look switching between modes is a quick solution, but from documentation you have only package builder which allows you have 2 packages. Uninstall and Install proper mode package sounds weird.

Lets look closer to registry part that Websense endpoint is using.

HKLM\Software\Websense\Agent

Interesting, InstallStartMenu key, value 0, very interesting.

Change to 1 and vuala. UI mode.

But it isn't so simple. Key part is protected. Small investigation shows that we have 2 problems here, we have to stop endpoint using wdeutil and re-apply proper security on entire folder in registry.

Somebody can say why we are not using Wdeutil -set DisableAntiTampering=true

Answer is very simple - because it isn't working for 100%, believe me. (50/50 same lovely message-Access denied, i have found a solution here, but this headache is for websense), and last, most important part – you have to restart service, because application state is checking during initialization.(No changes on screen without reboot, weird)

Time to scripting. (Please create troubleshoot1.cmd file)

1) Stop websense protectiong itself.

"C:\Program Files\Websense\Websense Endpoint\wdeutil" -stop all

Don't forget to attach password option, if you have one.

2) Now, we need to change owner for Websense registry part and assign proper permission, in our case any user from local administrator group. We will be using setacl utility (thanks Helge Klein for that).

setacl -on "HKLM\Software\Websense\Agent" -ot reg -actn setowner -ownr "n:Administrators"

setacl -on "HKLM\Software\Websense\Agent" -ot reg -actn ace -ace "n:Administrators;p:full"

3) Finally, we can replace value for InstallStartMenu

reg add "hklm\Software\Websense\Agent" /f /v InstallStartMenu /t REG_SZ /d 1

4) Last part, brings everything online

"C:\Program Files\Websense\Websense Endpoint\wdeutil" -start all

Endpoint icon should appear in tray from now.

In addition, setacl has 32 and 64 bit versions, you have to choose proper one, and put in same folder with troubleshoot.cmd

Sorry, I wasn't using subinacl utility, I had an issues when permissions basically were not changing. To revert everything back you need replace 1 for 0 in 3^rd step.

Regards,
Aleh Vaitsiuk