What security restrictions do anti-malware place on Windows processes?
Hi, I have an odd scenario where behavior is different on a computer with tighter security (e.g., endpoint protection services) . I have a .NET 4.5 app that uses Concurrent Dictionaries to track WIndows Service Status via Service Status Notification Callbacks (interop with Win32) . The logs show the call backs are working and correct and no errors or issues occur when the callback handler updates the ConcurrentDictionary. Overall logs (Win Application Log, Win System Log) show no runtime errors and endpoint monitoring system have not flagged the app in its' logs.
The problem is that downstream (thread pool) tasks don't seem to have the correct service status. Currently, this problem is isolated to a single machine; other machines don't have this issue. I assume this is a defect in my logic, but I don't understand how it could work in other operating contexts, except for one machine. The app is running under the SYSTEM account as a Windows Service. Code that updates dictionary included.
I have no idea what to look for from a security point-of-view. I am examining the process token privileges - what else could be different?
2 Replies
I believe I've had a similar problems years ago. I can't remember the solution but I believe I gave up on finding one and rather, used ProcMon to see exactly wtf is happening. Unless you've already tried that, then sorry :/
Hi - thank you for your response. I did trace it to a defect in my code, I struggle to understand why it was observed on the on one machine and not the other. I have little experience with the configuring (modern) malware and understanding what they check for regarding 'endpoints' is of interest (e.g., endpoint being a program or other active entity (I assume)).