Endpoint Protection

On an MS Server running SAV 10.x or SEP 11.x, do the Symantec services run in User or Privileged mode?

Hi MFishman,

I'm not a security specialist but I am sure I can (at least partially) answer this question. And as stated above it depends, on which part of the product you are looking at!

I take it that by privileged mode you mean kernel mode (ring 0 in i386 and other processors) in opposition to user mode (ring 3) which are the only mode used in *nix and Windows implementations (more details here).

So back to the answer, LiveUpdate and any desktop facing programs are running in user mode, no two ways about it. They have advanced privileges but not at the processor level i.e. they most likely inherit system privileges by running under the local nt authority account.

Now for kernel or privileged programs I'm not 100% sure but if you consider the network filtering and other pro-active threat management, process monitoring and the like then the answer must be yes, yes and yes!

Let's confront this with reality (Google search for "symantec endpoint protection kernel drivers") and we have the following coming 3rd:

Here's one proof that we have some drivers or other programs running under ring: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007267476677998.

So I've corrected myself on the subject line above, as this is a plain yes answer.

I agree with Ludovic. These programs do run with the User Mode previledges. Thats the reason we need to check permissions and group membership while installing the SEP product on a machine.

Aniket

User mode and group permission do not exactly relate here.

Privileges are enforced at an operating system level, whilst the user / kernel mode switches are implemented at the processor level.

You need to have privileged access to the operating system because the SEP installation makes system changes (such as installing drivers) that standard users can't do.