Symantec Endpoint eats Cisco security agent leventmgr.exe

Rene Rolsted · ‎01-16-2012

This is only for info.

I was pretty sure that the CSA even protected themselves.

I assumed that the CSA did not give Symantec access to put the files that belong to the CSA in quarantine

We have run CSA and Symantec AV for almost 6 years.

On all our workstations / laptops

running with CSA as behavioral protection and Symantec for AV protection.

Now symantec started in their version 12.1 begun SONAR little as Cisco Sensor Base.

But now, Symantec don't trust CSA see my CSA log from CSA MC

The 'Symantec AntiVirus' service logged event code 51 into the application event log:

Security Risk Found!SONAR.ProcHijack!gen1 in File: c:\program files\cisco\csagent\bin\leventmgr.exe by: SONAR scan. Action: Reboot Required. Action Description: The file was quarantined successfully.

At 5 workstations I've got this event and the problem with this
is that CSA is not very active, however it has its system state but there is no log in the local log and there will not be sent logs to CSA MC and CSA MC sees these PCs as inactive in the CSA MC

I've now got the antivirus people believe, to trust CSA leventmgr.exe in symantec

rhermes · ‎01-16-2012

I believe Cisco has abdononed CSA. It is no longer in CSM 4.x

I usualy had to turn it off to get any work om my CSM server done. Sorry to hear you still have to fight these battles.

I'm glad it's gone.

- Bob

Rene Rolsted · ‎02-01-2012

I do not think that we've had major challenges with CSA.

It is complex and can be many things in the CSA.

I would still argue that no other endpoint protection is on par with Cisco security agent, but I am not happy that Symantec can put a CSA file as leventmgr.exe quarantined.