Video Screencast Help

Altiris Client Agent 7.5 Delayed Start

Created: 02 Apr 2014 | 6 comments

Hello All,

We are working on blacklisting several applications in our environment.  We noticed in SMP 7.5 the agent has a delayed start on the client machine.  This allows for programs which are blacklisted to be run or installed until the agent starts.  Is there a way to disable the delayed start at windows start up?

Operating Systems:

Comments 6 CommentsJump to latest comment

Anton_Nejolov's picture

Just change startup type of Symantec Management Agent service from "Automatic (Delayed Start)" to "Automatic" via windows services.

 

sergei Z's picture

But the solution will not be reliable in 100% since depending on your machine configuration the agent service can be started later than your balcklisted applications if user logs on quickly enough. What plugin do you use to do the blacklisting? I guess tt should be working without agent started.

The delayed start was introduced especially to not slow the user login, depending on the machine configuration agent can start a whole lot of actions once it is started and this sometimes blocked or delayed the user login for a few minutes.

sergei zjaikin, senior principal software engineer, symantec

SnappyJY's picture

Thanks for the response.  We are using CMS so whatever the default plug in for blacklisting is that is what we are using.  Does that plug in get started during start up or is it only started with the full agent?  

sergei Z's picture

Blacklisting is the feature of Inventory Solution, it's described here:

https://www-secure.symantec.com/connect/articles/introduction-inventory-solution-windows-notification-server-70-detailed-file-inventory-and-

From the technical point of view neither the agent service nor any plugin cannot disallow an application to start. All the plugins are started by the agent service and they are just DLLs. The blacklisting functionality should live outside of the agent service process, there is just no way to disable a process from being started from the service, you have to have some DLL loaded inside the blacklisted process. So I would think that the agent service should not be needed for blacklisting to work, agent should  serve here purely as a blacklisted processers list delivery mechanism.

If you really need this information I can investigate a bit and confirm or deny my guess.

sergei zjaikin, senior principal software engineer, symantec

SnappyJY's picture

Sergei Z,

we are getting conflicting information.  Any further details you can provide would be greatly appreciated.

sergei Z's picture

Sorry for the confusion! I was wrong - you need to have the agent service running in order for blacklisting to work.

There is a special DLL that is loaded in every process named AMINIT.DLL, but it communicates with the agent service in order to get information if a particular process should be blocked or not. If agent service is not running then AMINIT.DLL will not blacklist the process. 

sergei zjaikin, senior principal software engineer, symantec