Hi Brian
I've bent over backwards for the last 2 years setting up scan exclusions, firewall exceptions, and scanned network traffic to see if their app uses unreported (by them) ports.
Ive done this with 3 different products, (Sym, Trend and McAfee) and provided the details to the software vendor.
Even though I have been able to show the customer and the software vendor the app works when the Security suite is enabled the software vendor continues to disable it.
They arent the brightest, some of their more notable moments:
- Will stop the database engine service on the server while staff are logged in to the application.
- Reboot the server while everyone is still working and not notified anyone.
- Have deleted data that wasnt sucessfully uploaded by the app into the database, when no other copy of the data exists yet (eg a legal doc is created in word, but wont upload, vendor comes along and deletes the word doc without even asking.)
- By default the app runs without the need for a login, and when the apps is run by a user without a credential in the app, they get full access within the app. When I pointed this out to the vendor they answered "you need to have an account to prevent unauthorised access." Glad they dont look after my banks IT system,
Hopefully you are getting a picture of the type of vendor I am dealing with here. Sadly the customer signed a 4 yr contract and cant change product until the contract is due for renewal.