search cancel

APM .NET Agent PerfMonCollectorAgent At least one improperly configured Windows service may have a privilege escalation vulnerability


Article ID: 243282


Updated On:


CA Application Performance Management (APM / Wily / Introscope)


In case the following vulnerability is detected in your environment.

Plugin Output: 
Path : e:\caapm\wily\bin\perfmoncollectoragent.exe
Used by services: PerfMonCollectorAgent


At least one improperly configured Windows service may have a privilege escalation vulnerability.

Vulnerability Description:

At least one Windows service executable with insecure permissions was detected on the remote host. Services configured to use an executable with weak permissions are vulnerable to privilege escalation attacks.
An unprivileged user could modify or overwrite the executable with arbitrary code, which would be executed the next time the service is started. Depending on the user that the service runs as this could result in privilege escalation.


APM 10.7
.Net Agent all versions


In fact, the performance collector agent service is using a local system account, and only authorized and system users have to write/modify permissions on perfmoncollectoragent.exe with the default .NET agent installation. 


By default, the local system account has full control of the wily folder in the .NET Agent installation. For the perfmon collector to function properly, the local system account should have at least read, write, modify and execute permissions for the wily folders and the files under it.  In order to allow the .Net agent to run smoothly, please check if your security policy has any restrictions or specific rules against this.

Additional Information

The following KB can also be useful when troubleshooting other similar issues in general:

APM - DotNET Agent will not connect to the Introscope Enterprise Manager

APM Introscope .NET Agent - Troubleshooting and Best Practices