Why do I see two copies of each virtualized app in my (non-Altiris) inventory report?

Q:
Ray said, "we had some technical questions about Symantec’s Altiris Virtualization functionality. Some of our customers are doing internal inventories of their Adobe software but are finding that some installations may be unnecessarily double-counted. The customers think that their use of Altiris Virtualization may have an effect on this."

A:
Yes, Ray, that's probably because of SVS.

Short answer: Add the inventory agent's main executable to the SVS Ignore Process list, which is a Multi-String Value named "ProgramIgnoreList" located under HKLM\SYSTEM\Altiris\FSL\.

Here is the detailed answer:

This "double hit" problem is most likely because, when using SVS, virtualized files and registry keys are potentially visible in two places: A) their real, non-virtualized locations, inside the SVS redirect areas (e.g., C:\fslrdr\1 and HKLM\Software\fslrdr\1) and B) their virtual locations, which is where they are seen by the end user and executed from by the system (e.g., C:\Program Files\Adobe\ and corresponding normal registry paths). If you're really curious to know more about how we do this, please take a look at the first half or so of this article: http://www.symantec.com/connect/node/548/.

By default, the redirect areas are only hidden using the standard Windows "Hidden" attribute, which means any admin or system process (including an inventory agent) can see them. Recommended best practice, however, is to obfuscate the redirect areas completely so that only the SVS filter driver can see them. This is done with an agent setting that can be pushed at install time, or changed later either with a reg setting or in the SVS Control Panel applet (the "Hide Software Virtualization files and registry keys" option).

FYI, this default setting is largely "political" in that it was driven by the controversy around Sony and Symantec back in 2005, with their supposed "root kits" that hid things from the end user w/o their knowledge. So we chose to make the SVS redirect areas visible by default and to let the customers explicitly configure "redirect area obfuscation" (term borrowed from Fox Mulder).

However, there are two limitations when using redirect area obfuscation. First, you limit the options available to support techs who might be troubleshooting a problem with a virtualized app. Manually viewing and editing the redirect areas can be essential for tech staff (especially to change permissions, since we don't currently provide a permissions editor GUI for virtualized apps). Disabling it requires local admin rights and a reboot. Second, it only works for the default redirect areas, and increasingly we have customers putting the physical files for their virtualized apps in different locations, not just all in C:\fslrdr.

So... The better solution is to put the inventory agent (and any other management agent that needs a real, neutral, non-virtualized view of the system, like anti-virus and security audit) on the SVS Ignore Process list. Executables in this list do not see the virtual locations of anything -- they only see the one, real copy in the redirect area. So, for example, what would normally be seen as C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe is seen by the management agent as something like C:\fslrdr\5\[_B_]PROGRAMFILES[_E_]\Adobe\Acrobat 7.0\Reader\AcroRd32.exe. This ensures two things -- that a) the inventory agent (or whatever the process is) only sees one copy of the application, and b)it also ensures that the application is seen whether or not it is active in SVS (if an app is de-activated in SVS, it will not be visible under C:\Program Files).

You can (and actually probably should, in most cases) combine redirect area obfuscation with a complete and proper Ignore Process list.

Editor's note: This applies to 3rd party inventory tools. The Altiris Inventory Solution agent is smart enough to handle this correctly w/o any config changes to SVS.