1. Symantec/
  2. Security Response/
  3. Security Updates Detail

Security Advisories Relating to Symantec Products - Symantec ITMS Inventory Solution Application Denial Functionality Bypass


April 7, 2016





Severity (CVSS version 2 and CVSS Version 3)



Base Score

CVSS2 Vector

Symantec IT Management Suite Inventory Solution Applications Denial Bypass - Low





Base Score

CVSS3 Vector

Symantec IT Management Suite Inventory Solution Applications Denial Bypass - Low





The Inventory Solution component of Symantec’s IT Management Agent, the client portion of Symantec IT Management Suite (ITMS) powered by Altiris,  can be configured to deny one or more applications from running on a windows managed client as part of IT management functions.  A determined user can force an unauthorized application to load and potentially run despite the application being blacklisted in policy settings.  This could potentially result in an authorized user running an unauthorized application on a managed client in the network environment.  


Affected Products






Symantec ITMS

7.6 HF7 and prior


Update to ITMS 7.6 HF7 Point Fix, see Update Section below, or upgrade to ITMS 8.x


Products Not Affected





Symantec ITMS





Symantec is aware of the capability to bypass the application denial functionality.  This functionality is only available in managed windows clients and is established and configured as a component of the ITMS Inventory Solution.  The application denial functionality, a part of the applications metering feature in the Inventory Solution, is not intended to be, nor promoted as, a security feature.  The application denial functionality is a management tool intended to enable IT administrators to deny the running of specified applications, such as peer-to-peer file sharing applications.  However application denial does provide a level of restrictive protection against unauthorized applications running on a managed client. 


An authorized but determined user can run an application that is not allowed on the corporate network by established IT policies.  By creating and running a script that continuously executes the unauthorized application, the user could potentially overload and bypass the established denial policies.  This would enable their unauthorized application to run on their managed windows client which could potentially compromise IT network policies.  Successful applications denial policy bypass depends very heavily on the capabilities of the managed system which could actually result in limited capabilities of the unauthorized application or even a self-denial of service by overloading the managed client’s CPU.


Depending on how IT has configured Inventory Solutions an alert can be e-mailed to an IT administrator when an attempt is made to run such an un-authorized application on a managed windows system.  In addition, end users can be informed that the application they are trying to run has been blocked by the IT administrator.


Symantec Response
While the application denial functionality was not intended as a security feature, Symantec product engineers have already addressed the managed windows agent bypass potential in ITMS 8.0 and have created a point fix for ITMS 7.6 HF7 for those customers who are concerned about any potential exposure to unauthorized applications running on their windows managed clients.    Symantec is not aware of adverse customer impact from this issue.


Update Information

Customers may acquire the point fix for ITMS 7.6 HF7 though technical support channels, see Knowledge Bulletin TECH234599 for details.



Symantec would like to thank Matthew Postinger, www.Postinger.com, for submitting his concerns regarding this issue in versions prior to ITMS 8.0 and working with Symantec as it was addressed. 





CVE: This issue for inclusion in the CVE list (http://cve.mitre.org/cve), which standardizes identifiers for security problems. 


BID: Symantec SecurityFocus, http://www.securityfocus.com, has assigned Bugtraq IDs (BIDs) to these issues for inclusion in the Security Focus vulnerability database.







BID 85778

Symantec IT Management Suite Inventory Solution Applications Denial Bypass




Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows responsible disclosure guidelines.
Symantec has developed a Software Security Vulnerability Management Process document outlining the process we follow in addressing suspected vulnerabilities in our products.
Symantec Corporation firmly believes in a proactive approach to secure software development and implements security review into various stages of the software development process. Additionally, Symantec is committed to the security of its products and services as well as to its customers’ data. Symantec is committed to continually improving its software security process.
This document provides an overview of the current Secure Development Lifecycle (SDLC) practice applicable to Symantec’s product and service teams as well as other software security related activities and policies used by such teams. This document is intended as a summary and does not represent a comprehensive list of security testing and practices conducted by Symantec in the software development process.
Please contact secure@symantec.com if you believe you have discovered a security issue in a Symantec product. A member of the Symantec Software Security team will contact you regarding your submission to coordinate any required response. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com.
The Symantec Software Security PGP key can be found at the following location:
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Software Security. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.
Last modified on: April 7, 2016
Security Response Blog
The State of Spam