Processes attempting to "modify" CSA process

Unanswered Question
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tsteger1 Wed, 02/13/2008 - 12:49
User Badges:
  • Red, 2250 points or more

Hello Michael,

Which rule is your rule 700? Is it an Agent Service Control?

Rule 700 is probably different for every CSA install after the first hotfix application (I don't even have a rule 700).

It may be you just need to exclude some application classes from logging in the agent protection rule.


Hi Tom - Yes, it is an Agent Service Control rule with description of "All applications (except virus scanners and installers), modify agent configuration".

I realize I could go ahead and exclude these apps from the rule, but am also trying to figure out why Virtual PC and Cisco's own VPN client would try to access/modify CSA processes.


tsteger1 Wed, 02/13/2008 - 16:27
User Badges:
  • Red, 2250 points or more

Hi Michael,

I see several applications that try to read all files, hit the files in the CSA folder and trigger the rules.

Adobe Updater (acroaum.exe), cleanmgr.exe and findfast.exe (yes, findfast) are a few that come to mind.

I can't tell you why most of them do it.


milee1420 Thu, 02/14/2008 - 07:38
User Badges:

Thanks Tom. Did you have to create any exceptions for these for the apps to work properly? We're still in test mode so trying to see what impact each of the events will have.

tsteger1 Thu, 02/14/2008 - 10:26
User Badges:
  • Red, 2250 points or more

I either allowed it, had them uninstall it if it was unneccesary software (like findfast) or created an event supression filter.

I didn't see any impact on apps if they didn't have access.

Try protect mode on a few hosts and see what happens.



This Discussion