Data Center Security

 View Only
  • 1.  With the help of DCS:SA , how can I block unauthorized uninstllation of applications from my server

    Posted Mar 15, 2018 03:13 AM

    Hi All,

    We have a DCS: SA setup for some 100 servers below are the setup information:

    • Majority of the servers are protected with IPS profile.
    • The built-in windows entry point protection policy is being used all windows servers.
    • The pivot-table method is used for application whitelisting.

    Below are the challenges:

    • We have to prevent the uninstallation of whitelisted application.
    • Same time some users need to have the privileges to uninstall.
    • We have run a test uninstallation of a couple of application and monitored what events are triggered like which file, process is executed while uninstallation. This had helped us to create the common rule to stop uninstallation, most of the installation and uninstallation will use MS msiexec.exe in backend process to start a process, however, it won’t be the case with all but most of it. 

    Below steps also we have tried.

    • Create an application rule for C:\Windows\System32\msiexec.exe and route it to Deny sandbox.
    • Create a rule within Global policy options, so that no user or program has access to
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall

    But all those are not a satisfying the exact requirement, Requesting your help to overcome this issue.

     

    Thank & Regards

    Liju Raju



  • 2.  RE: With the help of DCS:SA , how can I block unauthorized uninstllation of applications from my server
    Best Answer

    Posted Mar 27, 2018 10:50 AM

    How about using the "Block all Access to the following processes" option, and fill it out with the below:

    Program path: msiexec

    Arguments: /x <Product_Code_of_your_Whitelisted_Application>

    This should prevent anyone from uninstalling your app, while still allowing access to msiexec for other purposes.



  • 3.  RE: With the help of DCS:SA , how can I block unauthorized uninstllation of applications from my server

    Posted Mar 24, 2020 04:55 PM
    can u give some example for product code


  • 4.  RE: With the help of DCS:SA , how can I block unauthorized uninstllation of applications from my server

    Posted Mar 31, 2020 11:09 AM
    Symantec DCS Agent:

    MsiExec.exe /X{3D24482F-98BD-48DD-AA62-8B24BFDE7329}