CSA Poison Pill

Unanswered Question
Jun 2nd, 2008

I have to create a Poison Pill where CSA can essentially disable a system to the point that it is unusable and not recoverable.

I know there are several rules that can possibly do this by themselves, but I was wondering what would be the most effective where the system would have to be re-imaged in order to make it useable again.

I am running V5.0.0.229 agent on XP images.

I was thinking of not allowing services.exe to run anything.

What would you recommend?

Thank you,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
tsteger1 Tue, 06/03/2008 - 09:57

There may be a way to do this with less drastic measures but first, a couple of questions:

How would CSA enforce security if CSA was unable to run?

Do you prevent booting into safe mode?


dkthomas Wed, 06/04/2008 - 15:03

Well... that is a good question...

I was about to try that on a laptop just to see what happens... But as you pointed out, if the service can't start CSA... then CSA couldn't apply the rules...

But then again... would the system start CSA but stop everything else from starting after CSA started once the rules are applied?

Anyway, the answer to your second question: Booting into safe mode has not been disabled.

Which brings me back to my question: What would be the most effect method to disable a system?

Or is booting into SafeMode allows the bypassing all of the CSA rules?

tsteger1 Thu, 06/05/2008 - 10:25

I guess you should determine why you are doing this before you choose a what and how.

If you simply want to disable a system to protect other systems, the network quarantine feature should work.

If you want to make it so a system that triggers certain rules should be disabled so that no changes can be made to it, there are ways to do that too.

You would still be able to return system to a functioning state from the MC without reimaging it.

CSA needs the system functioning in order to be effective at enforcing rules.

Booting into safe mode will bypass CSA but there are ways to disable that as well.


TradeSecrets Thu, 06/26/2008 - 11:51

Hi Dk,

Create a group that doesn't let any communication. CSA has a firewall built in.

Have the group priority deny any connection. Also play with the priority terminate.

What is the reason for this group ?


This Discussion