Due to limitations on the Windows Server 2003 64-bit platform, the Bit9 agent can be stopped.
The Bit9 agent service or kernel driver is stopped/unloaded.
Through a known limitation in Windows 2003 64-bit platform (specifically Patchguard), the OS does not provide memory hooks that the Bit9 agent normally uses for tamper protection capabilities. This limitation, in turn, allows a local administrator the ability to terminate the Bit9 agent processes.
Many other applications also experience issues with this platform due to this known limitation. This OS has reached end-of-life support from Microsoft and the result is no available fix for the OS. Software vendors' only option is to work around the limitations.
The Windows Server 2003 OS limitations have been known to Bit9 since the release of Bit9 version 6.0.2 and have been noted in our "Bit9 Operating Environment Requirement" and "Installing Bit9 Security Platform" documents. It has also been verbally shared with customers during the pre-sales and implementation period.
We have worked around all known service crashes, blue screens, and broken session management APIs caused by bugs on the Windows Server 2003 OS. All available fixes to get around the OS limitations are included on the latest 7.0.x patches. Details can be reviewed in the "Release Notes" document. It is still recommended to upgrade the OS if possible.
Bit9 is 100% committed to our customers’ protection and success. In July 2013 we did a personal outreach to all Windows 2003 64-bit customers to ensure they were aware of the OS limitations and how it affects the Bit9 processes.
Short Term Mitigations:
- Use a server process monitor to identify if the Bit9 agent process is stopped
- Create NAC rules that will not allow machines without the Bit9 agent process running from accessing the network or staying on the network
- Using SIEM tools to monitor the Windows event logs for the following event text
“The Parity Agent service terminated unexpectedly…”
- Ban taskkill process
Longer Term Mitigations:
- Upgrade all Windows 2003 64-bit machines to Windows 2008 or 2012 64-bit