I’ve been looking for a quick, easy, and reversible way to circumvent or temporarily disable Cisco Security Agent 5.2.x running on our Windows 2000 workstations for some time. At our firm, the agent UI is either hidden or there is no agent UI on the workstations (so no direct user interaction is even possible), and therefore the ability to turn off agent security is not available to our users. In addition to CSA, as we call it, we run a corporate anti-virus application and our user accounts are members of the Administrators group, but some functionality is limited by group policy.
The firm’s security policy is enforced by the Cisco Security Agent service running on the workstations. Stopping the service would also stop the protection, but there is an Agent service control rule that prevents this.
Attempting to stop the Cisco Security Agent service from services.msc when an Agent service control rule is set to “attempt to disable agent security” results in the following warning:
Microsoft Management Console
Could not stop the Cisco Security Agent service on Local Computer.
The service did not return an error. This could be an internal Windows error or an internal service error.
If the problem persists, contact your system administrator.
Running the command
net stop csagent
returns “The Cisco Security Agent service could not be stopped.”
Note that both of these attempts to stop the service will be logged as events in the Windows Event Viewer under Application and System, and will also be logged by CSA in the CSALOG.txt and SecurityLog.txt files and may be sent back to the CSA Management Center (MC) server.
I would like to avoid leaving a record of my efforts, so instead of trying to stop the currently running service, I decided to try to prevent the service from starting at the next boot.
Simply opening the service properties and selecting a Manual or Disabled from the “Startup type” menu causes a pop-up warning:
Microsoft Management Console
Access is denied.
On one machine, I found that I was able to disable the service from starting automatically in the current hardware profile. To do this, open a run window and enter “services.msc” to open the Services MMC snap-in. Locate the Cisco Security Agent service, right-click it and select Properties, then click the Log On tab. In the Hardware Profile area, you should see a profile (Profile 1, perhaps) and a status (Enabled). Highlight the current profile and click the Disable button. Click Apply and OK to save the changes. (If you don’t get a message from Microsoft Management Console, just reboot and check the service to confirm it is not started.)
If disabling the service in the hardware profile is locked down, you will get the following pop-up warning and a log entry:
Microsoft Management Console
Configuration Manager: A required entry in the registry is missing or an attempt to write to the registry failed.
The next thing to try is to prevent the service from starting by editing the registry. CSAgent blocks and logs attempts to change keys pertaining to it, but on our machines, editing can be done after booting into Safe Mode.
Windows stores information about the services, including the startup type, at:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[servicename]
Each service will have a (REG_DWORD) value “Start” that can be one of 5 values: 0 (Boot), 1 (System), 2 (Automatic), 3 (Manual), or 4 (Disabled).
The key we’re interested in is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSAgent
To change the startup type to disabled, open Regedit, change the value “Start” to 4, close Regedit and boot Windows normally.
On our workstations, the Cisco Security Agent service will now be disabled and will not run, and so it will not be able to enforce any security policies on that machine. Instead, the Agent UI application will start (this will be logged in the Application events) and the CSAgent red flag icon will appear in the system tray.
I should point out that there are probably lots of ways for your system administrators to discover that you’ve been tampering with a security feature. I tried to note a few of the things that will cause your actions to appear in logs, but this isn’t a complete list. By disabling CSA, you’re risking not only the integrity of your workstation and the network, but opening yourself up to reprimands or more serious disciplinary action.
Speaking of logs, the CSALOG.txt and SecurityLog.txt log files exist in the Cisco Systems\CSAgent folder, where they are protected from being copied or edited while the CSAgent service is running. Both files record security alerts, but the SecurityLog.txt file is more detailed. CSALOG.txt is just a text file, but SecurityLog.txt is a CSV and is more easily read in an application that handles CSV. If the CSAgent service is not running, the files can be edited, copied, deleted, etc.
A few Cisco documents that described why I couldn’t see the user agent gui or stop the service, but otherwise helped me very little in my quest: