Intel,Altiris Group

  • 1.  Error when try to get user name of process (ccApp.exe, DefWatch.exe, Rtvscan.exe) in Symantec antivirus 10.2.0.276 on Windows Vista Ultimate X86

    Posted Jul 16, 2009 05:03 AM
    When i try to get information of process (ccApp.exe, DefWatch.exe, Rtvscan.exe) by function: 
           OpenProcessToken(hProcess, TOKEN_DUPLICATE | TOKEN_QUERY, &htoken)

    It is always throw error_code =5 (Access Denied).
    I can't understand the root cause of this problem.
    I think it is not compatible between Symantec 10.2.0.276 and Windows vista Ultimate X86.

    Does anyone have any idead and experience in this case, Please help me to resolve it?

    Thanks & best regards.
    TrungPQ




  • 2.  RE: Error when try to get user name of process (ccApp.exe, DefWatch.exe, Rtvscan.exe) in Symantec antivirus 10.2.0.276 on Windows Vista Ultimate X86

    Posted Jul 16, 2009 06:45 AM
    This is what i found in the Article:
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006103109461248

    which looks to be related.


    The Windows Vista feature User Account Control (UAC) blocks local administrative accounts from remotely accessing remote administrative shares such as C$ and Admin$. To use the ClientRemote Install Tool in this scenario, you should use a Domain Administrative account if the target client computer is part of an Active Directory domain. Alternatively, you can disable the client computer's local account filtering policy by creating the following registry entry on the client
    computer:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy
    Type: DWORD
    Value: 1



    Thanks :-)



  • 3.  RE: Error when try to get user name of process (ccApp.exe, DefWatch.exe, Rtvscan.exe) in Symantec antivirus 10.2.0.276 on Windows Vista Ultimate X86

    Posted Jul 16, 2009 02:28 PM
    why  are you trying to open symantec processes ? Tamper protection doesn't allow the symantec processes to be read.


  • 4.  RE: Error when try to get user name of process (ccApp.exe, DefWatch.exe, Rtvscan.exe) in Symantec antivirus 10.2.0.276 on Windows Vista Ultimate X86

    Posted Jul 16, 2009 11:36 PM
    Thank Suren Gundumalla for all,

        Now i could solving my problem by Disale Tamper Protection function.
        It is fine to get user name of symantec virus processes.

    Thanks & best regrads,
    TrungPQ



  • 5.  RE: Error when try to get user name of process (ccApp.exe, DefWatch.exe, Rtvscan.exe) in Symantec antivirus 10.2.0.276 on Windows Vista Ultimate X86

    Posted Jul 21, 2009 04:25 AM
    Dear Suren Gundumalla,

       Nice to meet you!

    Now,  i want to reading symantec processes information to get User Name of these processes while Tamper Protection is Enable.

    i read about Tamper Protection in belowing link:
    http://service1.symantec.com/support/ent-security.nsf/docid/2005033111081548
    (On the Windows API level, Tamper Protection intercepts calls to create, open, or modify these objects, such as CreateEvent, SetEvent, CreateMutex, ReleaseMutex, and so on. It then checks the name of the object against its list of protected names, which is called a manifest. If the names match, it next checks to see if the executable backing the process that made this call has a valid Symantec digital signature. If the process has a valid signature, the request is permitted, otherwise, it is denied with an ERROR_ACCESS_DENIED error code. This protection works on both single user systems and terminal servers.)

    and, i know that to be access into symantec processes then i must have "a valid Symantec digital signature".

    Can you tell me the way to reading symantec processes information while Tamper Protection is Enable?

    Thanks & best regards,
    TrungPQ