iammanzi asked a question.
What is the function of mgssecsvc
Good day
I have a customer that is asking what is the functionality of the mgssecsvc component and are there any security concerns around it. They say that the component has the potential to run whatever code that gets downloaded to it and if so it could be exploited.
Please advise.
regards
Manish
Hi Manish,
The documentation (GatheringFlexNetInventory) has some details:
"Another service that runs exclusively on Microsoft Windows is mgssecsvc (there is no equivalent on UNIXlike platforms). Like ndinit, it is automatically initialized as a service on machine reboot. It exists solely as a wrapper for its child processes (which are implemented as DLLs on Windows, and so are running whenever
the service is running).""mgssecsvc.exe (and its plug-ins mgsusageag and vdiendpoint)"
and
"The component that monitors application usage (when you have usage tracking configured) is mgsusageag, which is a library exercised by mgssecsvc on Windows. On UNIX-like platforms, mgsusageag is a service in its own right. Because of the ephemeral nature of usage data, mgsusageag invokes the uploader any time it has usage data (an .mmi file) to upload. This means that application usage data isuploaded asynchronously with relation to the upload schedule saved on the local device."
That an the "Agent Architecture" diagram, should explain what it is usually doing.
Can you share any more specific concerns regarding "run whatever code"?
Best regards,
Markward
Hi @iammanzi ,
The primary use of mgssecsvc is to run the application usage agent but it also does the vdi endpoint agent. It is the executable behind the security agent service and without this you won't be able to collect usage with the agent.
Do you know the specific security concerns? I can't see any open issues around this but if there are major issues we can investigate these further.
Matt
If you would be so kind to entertain some more questions on this subject.
Regards,
PushkarThis service was named something like 13-16 years ago when it did (or there was a vision for it to do more) than it does today. For example, my recollection is at the time it gathered details of various security-related events such as logon and logoff events. The name has stuck since and not been changed.
Penetration tests for the agent are available under NDA with Flexera. Please reach out to your Flexera contact to request this.
In terms of the types of operations performed by this service, I don't have much more to add beyond the earlier comments from @mfranz and @mrichardson which cover it pretty well.
We have an issue that the mgsecsvc.exe is preventing an Eng. application process from closing and as a result an application process is getting suspended by the OS.
Are there any solutions to reduce this
The 2 main reasons I can think of that might cause this are:
Of the 2 I would say that 1 is most likely as the intention of the usage agent is to track when an application is open and closed so it would be unusual for it to keep hold of a process.
If it is security software, one option which usually works is to put the agent directory in as an exclusion to the active scanning engine of the security software so that it's only included in scheduled scans.
Can you check if this is a possibility?
@carmen_harvey Were you able to resolve this? I'm sitting with a similar issue.
Regards,
Pardon