Configuring Tamper Protection

Article:HOWTO27623  |  Created: 2010-01-09  |  Updated: 2011-06-08  |  Article URL http://www.symantec.com/docs/HOWTO27623
Article Type
How To

Product(s)

Environment


Configuring Tamper Protection

You can enable and disable Tamper Protection and configure the action that it takes when it detects a tampering attempt. You can also configure it to notify users when it detects a tampering attempt.

A best practice when you initially use Symantec Endpoint Protection is to use the action Log the event only while you monitor the logs once a week. When you are comfortable that you see no false positives, then set Tamper Protection to Block it and log the event.

See About Tamper Protection.

You can configure a message to appear on clients when Symantec Endpoint Protection detects a tamper attempt. By default, notification messages appear when the software detects a tamper attempt.

The message that you create can contain a mix of text and variables. The variables are populated with the values that identify characteristics of the attack. If you use a variable, you must type it exactly as it appears.

Table: Tamper Protection message variables and descriptions describes the variables you can use to configure a message.

Table: Tamper Protection message variables and descriptions

Field

Description

[ActionTaken]

The action that Tamper Protection performed to respond to the attack.

[ActorProcessID]

The ID number of the process that attacked a Symantec application.

[ActorProcessName]

The name of the process that attacked a Symantec application.

[Computer]

The name of the computer that was attacked.

[DateFound]

The date on which the attack occurred.

[EntityType]

The type of target that the process attacked.

[Filename]

The name of the file that attacked the protected processes.

[Location]

The area of the computer hardware or software that was protected from tampering. For Tamper Protection messages, this field is Symantec applications.

[PathAndFilename]

The complete path and name of the file that attacked protected processes.

[SystemEvent]

The type of the tamper attempt that occurred.

[TargetPathname]

The location of the target that the process attacked.

[TargetProcessID]

The process ID of the target that the process attacked.

[TargetTerminalSession ID]

The ID of the terminal session during which the event occurred.

[User]

The name of the logged on user when the attack occurred.


To enable or disable Tamper Protection

  1. In the console, click Clients.

  2. On the Policies tab, under Settings, click General Settings.

  3. On the Tamper Protection tab, check or uncheck Protect Symantec security software from being tampered with or shut down.

  4. Click the lock icon if you do not want users to be able to change this setting.

  5. Click OK.

To configure basic Tamper Protection settings

  1. In the console, click Clients.

  2. On the Policies tab, under Settings, click General Settings.

  3. On the Tamper Protection tab, in the list box, select one of the following actions:

    • To block and log unauthorized activity, click Block it and log the event.

    • To log unauthorized activity but allow the activity to take place, click Log the event only.

  4. Click the lock icon if you do not want users to be able to change this setting.

  5. Click OK.

To enable and customize Tamper Protection notification messages

  1. In the console, click Clients.

  2. On the Policies tab, under Settings, click General Settings.

  3. On the Tamper Protection tab, click Display a notification message when tampering is detected.

  4. In the text field box, if you want to modify the default message, you can type additional text and delete text.

    If you use a variable, you must type it exactly as it appears.

  5. Click the lock icon if you do not want users to be able to change this setting.

  6. Click OK.


Legacy ID



350043


Article URL http://www.symantec.com/docs/HOWTO27623


Terms of use for this information are found in Legal Notices