Another interesting day in the Agentless Business
by Charles Oldham | 17 Feb 2009 | Permalink |
IT Management
One of the interesting aspect of using agentless discovery is that there is always a chance of an interaction with various Intrusion Detection Systems of one sort or another.
We try very hard to ensure that we keep those interactions to a minimum by using well established third party tools such as the PSTools collection originally from SysInternals. Of course these are now part of the Microsoft organisation. We’ve found during the development of our 7.2 release that there were changes in behaviour that restricted our ability to derive information from modern Windows 2008 and Vista machines.
As such from 7.2 onwards we are also using an Open Source tool RemCom that allows us to do what we cannot with current versions of PsTools.
Internally we have our own systems continually monitored by both the current release of Foundation and the latest stable cut of our development code. These have both been running the 7.2 core since early January without issue. However this week we noticed something interesting that we thought worthwhile bringing to your attention.
This week our IT department has rolled out an upgrade to Sophos Anti-Virus 7.6 and we are currently using the default profile while it gets tuned to our environment.
A number of our Windows hosts have since reported RemCom interacting with them as part of the “Sophos Behavioural Genotype technology“, I’ve attached a screengrab of the alert to this post.
We’ve never had an issue with the PsTools collection triggering our IDS systems like this, though it appears it has happened from the quote from Mark Russinovich on the PsTools page.. We’ve raised this with both the maintainer of RemCom and reported it as a false positive to Sophos.
While we progress this with Sophos if you use both Foundation 7.2 and Sophos Anti-Virus 7.6 in your environment you might wish to consider adding remcomsvc.exe to the authorised file list in Sophos.
Tideway Blog