Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

Detection rules for Virtual Layer wchih is Hide From Operating System

Created: 24 Jan 2014 • Updated: 06 Feb 2014 | 3 comments
jlenart's picture
This issue has been solved. See solution.

Hello everyone,

I search for the best metod to set detection for virtuall app which is Hide From Operating System.

Do you have any ideas?

Thanks

Operating Systems:

Comments 3 CommentsJump to latest comment

AngelD's picture

I don't think there is a standard way of detecting through a detection rule.

You could create a custom inventory to check each layers for the VisibilityFlags (attribute) bit/flag set to 8 (Hide from OS)

ksreek's picture

You may want to enumerate the layers. Enumerating layers returns several properties of the layers.
For e.g run "svscmd.exe enum -v" . It shows an attribute "Layer visibility" with corresponding values

{NULL} - No visibility parameters set.
    1     - Hide from other layers
    2     - Hide other layers from this layers
    3     - Hide from operating system .

You might see one or more combinations in the output depending upon what attributes are set to the layers .

To determine this through a rule you might want to script as below

Pipe the output of 'svscmd.exe enum -v' to a text file (for e.g svscmd.exe enum -v > c:\output.txt)You script should search for the attribute and corresponding values to present the appropriate result.

There MIGHT be a direct API call available in our SDK for layer visibility although am not aware of it at this time.

Hope this helps !

ksreek

SOLUTION
AngelD's picture

Just of interest, why having a detection rule based on isolation?