CSA Self-protection Alerts

h-schupp · ‎02-10-2005

Good day to all! -

I get quite a few Alerts on our VMS for CSA's that show the ...\system32\services.exe attempting to Open and Read/Write the ACL information on CSA application files - i.e.; csacenter_2k.sys, agentinfo.exe, csafilter.dll, etc.

I believe it is caused by the GPO being pushed and file acl's being set when a machine/user logs onto the machine but haven't validated that thought process as yet. I see it happenning primarily with the services.exe application as the NT AUTHORITY\SYSTEM user. I there a way to "filter" this activity without essentially telling CSA that SERVICES.EXE can do what it pleases? I know I could create a CSA_FILESET that describes which files that belong to the CSA - but as it is - where would I find a reference document that list those files?

My real concern here, of course, is ensuring that I don't end up filtering out real events.

Any comments? Thanks all.

owensgl · ‎02-10-2005

I am having the same problem with Winlogon. So I have the following question about both Services.exe and Winlogon, what is the purpose of winlogon and services and what would happen if it was not allowed.

TESTMODE: The process 'C:\WINNT\system32\winlogon.exe' (as user NT AUTHORITY\SYSTEM) tried to rename to the file 'C:\WINNT\system32\dllcache\psapi.dll'. This would have caused the user to be prompted as to the action to take.

h-schupp · ‎02-10-2005

Actually, I have the same problem with winlogin.exe too -- Just figured to chase one ghost at a time.

hps

mcvosi · ‎02-18-2005

I recommend the latest build, 736, which finally corrects the Winlogon false positives.