cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

What is the function of mgssecsvc

Good day

 

I have a customer that is asking what is the functionality of the mgssecsvc component and are there any security concerns around it. They say that the component has the potential to run whatever code that gets downloaded to it and if so it could be exploited.

Please advise.

 

regards

Manish

(7) Replies
mfranz
By Level 17 Champion
Level 17 Champion

Hi Manish,

The documentation (GatheringFlexNetInventory) has some details:

"Another service that runs exclusively on Microsoft Windows is mgssecsvc (there is no equivalent on UNIXlike platforms). Like ndinit, it is automatically initialized as a service on machine reboot. It exists solely as a wrapper for its child processes (which are implemented as DLLs on Windows, and so are running whenever
the service is running)."

"mgssecsvc.exe (and its plug-ins mgsusageag and vdiendpoint)"

and

"The component that monitors application usage (when you have usage tracking configured) is mgsusageag, which is a library exercised by mgssecsvc on Windows. On UNIX-like platforms, mgsusageag is a service in its own right. Because of the ephemeral nature of usage data, mgsusageag invokes the uploader any time it has usage data (an .mmi file) to upload. This means that application usage data isuploaded asynchronously with relation to the upload schedule saved on the local device."

That an the "Agent Architecture" diagram, should explain what it is usually doing.

Can you share any more specific concerns regarding "run whatever code"?

Best regards,

Markward

Hi @iammanzi,

 

The primary use of  mgssecsvc is to run the application usage agent but it also does the vdi endpoint agent.  It is the executable behind the security agent service and without this you won't be able to collect usage with the agent.

 

Do you know the specific security concerns?  I can't see any open issues around this but if there are major issues we can investigate these further.

 

Matt

 

  

(Anything expressed here is my own view and not necessarily that of my employer, Flexera)
If the solution provided has helped, please mark it as such as this helps everyone to know what works.

If you would be so kind to entertain some more questions on this subject.

  • If the service exists solely as a wrapper, why is it called 'Flexera Inventory Manager security service' and what is meant by the term 'security agent'?
  • What measures have been taken to ensure a rogue plugin will not be loaded by the service? Is there a penetration test report available for this service?
  • Can you please provide a listing of the types of operations that can be expected and to what effect have they been included?

Regards,
Pushkar

This service was named something like 13-16 years ago when it did (or there was a vision for it to do more) than it does today. For example, my recollection is at the time it gathered details of various security-related events such as logon and logoff events. The name has stuck since and not been changed.

Penetration tests for the agent are available under NDA with Flexera. Please reach out to your Flexera contact to request this.

In terms of the types of operations performed by this service, I don't have much more to add beyond the earlier comments from @mfranz and @mrichardson which cover it pretty well.

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

We have an issue that the mgsecsvc.exe is preventing an Eng. application process from closing and as a result an application process is getting suspended by the OS.  

Are there any solutions to reduce this 

The 2 main reasons I can think of that might cause this are:

  1. You have security software which is blocking the usage agent from working successfully on that application hence it is holding the process in memory while it tries to complete (McAfee is well known culprit for this)
  2. The application was attempting to close while the usage agent was tracking it and it's holding the process for some reason

Of the 2 I would say that 1 is most likely as the intention of the usage agent is to track when an application is open and closed so it would be unusual for it to keep hold of a process.

If it is security software, one option which usually works is to put the agent directory in as an exclusion to the active scanning engine of the security software so that it's only included in scheduled scans.

Can you check if this is a possibility?

(Anything expressed here is my own view and not necessarily that of my employer, Flexera)
If the solution provided has helped, please mark it as such as this helps everyone to know what works.

@carmen_harvey  Were you able to resolve this? I'm sitting with a similar issue.

 

Regards,

Pardon