locked
Shutting down FCS processes in task manager by local users RRS feed

  • Question

  • Hi,

    I do have a technical question about the FCS agent.  I did setup the FCS management server with specific GPOs in place.  And test the MOM agent deployment & also definition updates via WSUS & Windows updates.  Everything works no issue with excellent results.

    But I did find a critical technical issue of the FCS on the workstation.  Any local user (not administrator at all) can actually end all the FCS processes under the Windows task manager anytime (MOMHost.exe, MOMServices.exe, MsMpEng.exe, MSASCui.exe).  I did lock down the FCS UI via the FCS management console & the FCS services via the GPO management console.  But there's no options at all to lock down the FCS processes from shutting down under the task manager.  Any users can end all the FCS processes anytime if they don't want the FCS (including the FCS engine) running on their workstations. 

    Is there any improvement about this issue later on in the future?  Just a FYI that most of the anti-virus products offered a password protection option to lock down their own processes & services from shutting down or un-install or pause protection.  Appreciate for any suggestions or advise.  Great day.

     

     

    Wednesday, May 5, 2010 3:02 PM

Answers

  • Hello there,

    Actually i personally think that there is a small issue in the middle in your infrastructure.

    Neither MOMService or MsMpEng.exe cannot be stopped as you should need Admin privileges because are running under SYSTEM account. MSASCui.exe can be stopped/killed because it is running with the logged on user.

    To actually do a Tamper Protection take a look at Yaniv's blog here:

    http://blogs.microsoft.co.il/blogs/yanivf/archive/2009/01/09/temper-protection-in-forefront-client-security.aspx

     

    Regarding the new FCS v2, i don't know if it will come with a tamper protection or not but definitively will have 100% AD integration and you can play with policies as much as you want.

     

    Regards,

    Victor

     


    Please Vote me as Helpful if i did helped you in any way.
    Thursday, May 6, 2010 1:02 PM

All replies

  • Hello there,

    Actually i personally think that there is a small issue in the middle in your infrastructure.

    Neither MOMService or MsMpEng.exe cannot be stopped as you should need Admin privileges because are running under SYSTEM account. MSASCui.exe can be stopped/killed because it is running with the logged on user.

    To actually do a Tamper Protection take a look at Yaniv's blog here:

    http://blogs.microsoft.co.il/blogs/yanivf/archive/2009/01/09/temper-protection-in-forefront-client-security.aspx

     

    Regarding the new FCS v2, i don't know if it will come with a tamper protection or not but definitively will have 100% AD integration and you can play with policies as much as you want.

     

    Regards,

    Victor

     


    Please Vote me as Helpful if i did helped you in any way.
    Thursday, May 6, 2010 1:02 PM
  • Thanks... Victor.  I really appreciate your advise.  I made the changes you did mention here and it all works.  Now I can deploy the FCS at my workplace with confident.  Great day.

    Thursday, May 6, 2010 3:40 PM
  • Hi Victor,

    I did manage to prevent the users from shutting down the MsMpEng.exe but how about the local admins?  Can I specify that even local admins or domain admins can't stop the MsMpEng.exe in task manager?  Thanks in advance.  Great day.

    Friday, May 7, 2010 3:40 PM
  • Hi everyone!

    I have the same problem. I have implemented all of the above security measures to prevent users from stopping the service and uninstalling the program.

    But...

    All of my users are local administrators on their workstations. How do i prevent them from terminating the MsMpEng.exe process and thereby shutting down the FCS client?

     

    Regard

    Sune Ratgen

    System Administrator

     

    Thursday, July 29, 2010 1:09 PM
  • Hello everybody,

    Why are y'all using this program and this client on the network if beyond me as it slows down Auto Cad  inventor and Altium PCB designer.. I have done my homework and have found way better anti-virus software out there to work with and don't eat up processes trying to scan every last freaking byte you use on a daily bases... Personally  I most IT personal that use this program need to do some homework before they get a mean call from the president of the company asking why are you slowing down my productivity (pink slip time).... !!DO YOUR HOMEWORK  PEOPLE!! before you decide to install programs like this on a large production company network.. As far as locking this program and keeping people from turning it off  when they are trying to do their JOB in a timely manner that don't take an hour in a half just to get one drawing loaded  or a board laid out is just wrong and lazy....



    Friday, July 19, 2013 7:08 PM