How to disable File Intregrity Monitoring (FIM) driver in Symantec Critical System Protection (SCSP) for Windows & AIX

Article:HOWTO58603  |  Created: 2011-08-01  |  Updated: 2012-04-20  |  Article URL http://www.symantec.com/docs/HOWTO58603
Article Type
How To



Set "Enable Filewatch Filter" parameter value to 0 in localagent.ini file then restart IDS daemon.

 This procedure applies only to 5.2.6 (or later) SCSP agents running on Windows systems:

 

 Manual procedure

  • Stop the SCSP IDS Agent

  • Edit the LocalAgent.ini file (default location C:\Program Files\Symantec\Critical System Protection\Agent\IDS\system\LocalAgent.ini), as follows:

    Change "Enable Filewatch Filter=1" (Default), to "Enable Filewatch Filter=0"

Note: This setting is the last entry under the "[File Collector]" section.

LocalAgent.ini: (Default setting)

#Enable Filewatch Filter=1                   #Use the Filewatch filter driver

LocalAgent.ini: (New setting)

Enable Filewatch Filter=0                   #Use the Filewatch filter driver

Start the SCSP IDS Agent. After the IDS agent is restarted, the agent skips opening and initializing the real-time SCSP FIM driver and reverts back to the legacy behavior of polling the filesystem(s) for changes to the file paths defined in the IDS policies.

Automated procedure:

The Symantec Critical System Protection (SCSP) IDS Agent configuration modification can also be accomplished from SCSP Management Console by using the "CSP_Agent_Diagnostic" policy. This policy makes use of the csp_agent_mgmt.bat and sisipsconfig.exe utility to make changes to the various configuration files and can optionally restart the SCSP processes. To configure the “CSP_Agent_Diagnostic” policy to disable real-time file monitoring configure the policy as follows.

  • Create a new workspace policy from the “CSP_Agent_Diagnostic” for Windows

  • Configure the new workspace policy options 

 Note: Manually enter the value in the edit command section. Do not cut and paste from email! 

Under the “Advanced agent settings” option:

  1. Check the box for “Edit configuration file” option
  2. Check the box for “Restart the IDS service after editing the configuration file” option
  3. Change the “Edit command” value to match the following string exactly:

LocalAgent.ini –section “File Collector” –name “Enable Filewatch Filter” –value 0

  • Push the policy to the SCSP Agent(s) where real-time file monitoring is to be disabled When the agent receives the new policy it will invoke the csp_agent_mgmt.bat file to make the changes to the LocalAgent.ini and then restart the SCSP IDS Agent. An agent status event will be forwarded to the console to indicate that the Configtool was successful and another status event indicating that the IDS Agent was restarted.

  • Remove the policy from the SCSP Agent(s)

     

 

 

 

 

 

 

This procedure applies only to 5.2 RU8 MP1 (or later) agents running on AIX systems:

RT-FIM can be disabled at any time from the command line for an AIX SCSP agent:

 su – sisips –c “./sisipsconfig.sh –rtfim off”

After disabling RT-FIM in this manner a reboot is required to fully unload the driver.

 

 



Article URL http://www.symantec.com/docs/HOWTO58603


Terms of use for this information are found in Legal Notices