How to disable File Intregrity Monitoring (FIM) driver in Symantec Critical System Protection (SCSP) for Windows & AIX

Article:HOWTO58603  |  Created: 2011-08-01  |  Updated: 2015-02-11  |  Article URL http://www.symantec.com/docs/HOWTO58603
Article Type
How To



Set "Enable Filewatch Filter" parameter value to 0 in localagent.ini file then restart IDS daemon.

 This procedure applies only to 5.2.6 (or later) SCSP agents running on Windows systems:

 

 Manual procedure

  • Stop the SCSP IDS Agent

  • Edit the LocalAgent.ini file (default location C:\Program Files\Symantec\Critical System Protection\Agent\IDS\system\LocalAgent.ini), as follows:

    Change "Enable Filewatch Filter=1" (Default), to "Enable Filewatch Filter=0"

Note: This setting is the last entry under the "[File Collector]" section.

LocalAgent.ini: (Default setting)

#Enable Filewatch Filter=1                   #Use the Filewatch filter driver

LocalAgent.ini: (New setting)

Enable Filewatch Filter=0                   #Use the Filewatch filter driver

Start the SCSP IDS Agent. After the IDS agent is restarted, the agent skips opening and initializing the real-time SCSP FIM driver and reverts back to the legacy behavior of polling the filesystem(s) for changes to the file paths defined in the IDS policies.

Automated procedure:

The Symantec Critical System Protection (SCSP) IDS Agent configuration modification can also be accomplished from SCSP Management Console by using the "CSP_Agent_Diagnostic" policy. This policy makes use of the csp_agent_mgmt.bat and sisipsconfig.exe utility to make changes to the various configuration files and can optionally restart the SCSP processes. To configure the “CSP_Agent_Diagnostic” policy to disable real-time file monitoring configure the policy as follows.

  • Create a new workspace policy from the “CSP_Agent_Diagnostic” for Windows

  • Configure the new workspace policy options 

 Note: Manually enter the value in the edit command section. Do not cut and paste from email! 

Under the “Advanced agent settings” option:

  1. Check the box for “Edit configuration file” option
  2. Check the box for “Restart the IDS service after editing the configuration file” option
  3. Change the “Edit command” value to match the following string exactly:

LocalAgent.ini –section “File Collector” –name “Enable Filewatch Filter” –value 0

  • Push the policy to the SCSP Agent(s) where real-time file monitoring is to be disabled When the agent receives the new policy it will invoke the csp_agent_mgmt.bat file to make the changes to the LocalAgent.ini and then restart the SCSP IDS Agent. An agent status event will be forwarded to the console to indicate that the Configtool was successful and another status event indicating that the IDS Agent was restarted.

  • Remove the policy from the SCSP Agent(s)

    To check on the status of the driver you can run "sc query SISIPSFilefilter" if the driver is stopped then RT-FIM is disabled on the agent. 

  •  

This procedure applies only to 5.2 RU8 MP1 (or later) agents running on AIX systems:

RT-FIM can be disabled at any time from the command line for an AIX SCSP agent:

 su – sisips –c “./sisipsconfig.sh –rtfim off”

 

After disabling RT-FIM in this manner a reboot is required to fully unload the driver.

 

 

To disable Real-Time File Integrity Monitoring (RT-FIM) in Windows when using Symantec Data Center Security Server / Advanced 6.0+, follow the steps shown here:

 

1.  Log in to the Symantec Data Center Security Server Management Console

2.  Select "Configs"

3.  Select "Detection"

4.  Select the "Default Detection Parameters" configuration and click "Copy"

5.  Select the "Copy of Default Detection Parameters" configuration and click "Edit"

6.  Change the configuration name via the "General" tab if required

7.  Select the "Parameters" tab

8.  Un-check the following check box

 

- Enable Realtime File Monitoring

 

9.  Select "OK"

10.  Right-click on the new configuration and select "Apply"

11.  Select the Asset(s) you want to apply the configuration to and click "Apply"

 

For the above actions to take effect, the IDS service should be restarted on the target Asset(s).  To do, execute the steps outlined below.

 

12.  Select the “Assets” tab on the Symantec Data Center Security Server Management Console

13.  Select “Detection”

14.  Select the Asset(s) in question and select “Apply Policy”

15.  Select the “SDCSS_Agent_Diagnostics” policy and click “Next”

16.  Select “Edit Policy”

17.  Select “Diagnostic functions”

18.  Enable the “Select a function to run on the agent” option and then click “Edit [+]”

19.  Change the “Value” to “Restart the IPS Service” and click “OK”

20.  Select “Finish” to apply the policy




Article URL http://www.symantec.com/docs/HOWTO58603


Terms of use for this information are found in Legal Notices