Protecting the ACS service with SEP

Owned by Anonymous
Last updated: Feb 19, 2011 by AnonymousVersion comment
2 min read

ACS information for protection by SEP

The following information is from a Windows 7 32-bit installation.

Files:

  • File locations may change with other operating systems and versions (x64) but the file names, extensions, and first one or two directory names up the chain from the files will be the same
    • Win XP (instead of Program Data it will be under \Documents and Settings\All Users)
    • \ProgramData\Symantec\AltirisAgent[Filehashcache.db and processcache.db]
    • \ProgramData\Symantec\AltirisAgent\Clientitems*_CIC.db
    • \Program Files\Altiris\Altiris Agent\Agents\ApplicationControl[all files in this directory]

Registry:

  • There are many, many registry locations created when ACS installs mainly due to Class registration.  The Class registrations are not all listed because of the number.  They are required (the product will likely break if any keys/values are deleted or changed) but may be too many to be listed for protection.  If required they can be listed but that will take additional work.
  • Also the path may point to a key or a value.  If it points to a key then all values on that key should be protected.
    • HKLM\Software\altiris\Altiris Agent\Plugin Objects\Agents[all of the following: Altiris ACAgent, File Inventory Agent, File inventory Task Agent, File Scan Task Agent, MSI Inventory Task Agent, Resource Discovery Agent, Resource Discovery Task Agent]
    • HKLM\Software\Classes[56+ classes-probably too many to worry about as mentioned]
    • HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks{AAABB...}[Arellia*}
    • HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\EnableShellExecuteHooks
    • HKLM\System\CurrentCcontrolSet\Services[ArelliaACDrv and ArelliaACSvc]

ACS Service:

  • The ACS service depends on the following services
    • RPCSS
    • CryptSvc
    • Symantec Management Agent
      • For receiving new or updated policies
      • Sending feedback to the server
      • For task execution
      • Logging
      • User Notification Message(s)
  • However for the rules currently applicable and received (they are stored locally in the Client Item cache), they will be applied by the ACS service regardless of the state of the Symantec Management Agent.

Communication:

  • ACS depends on the same communication ports as the Symantec Management agent uses (typically 80[Http]).

Policy application by AD Security Group:

  • Depends on Arellia Directory Services Solution being able to sync with AD
  • Depends on client machine being able to contact AD to look up memberships the first time (then they are cached for off-line operation) and check for any subsequent updates.