How to: Disable the SysPlant / SysGuard drivers on SPA clients without manually editing the registry

Article:TECH103259  |  Created: 2007-01-19  |  Updated: 2010-01-01  |  Article URL http://www.symantec.com/docs/TECH103259
Article Type
Technical Solution


Issue



You need to disable the SysPlant and SysGuard kernel drivers in Symantec Protection Agent (SPA) 5.x on a number of machines because of an application conflict but you don't want to have to manually edit the registry on each machine.


Solution



In Symantec Enterprise Protection (SEP) 5.1 MR3 the kernel drivers will be automatically disabled on the agent if there are no OS Protection or Buffer Overflow Protection policies applied to its group.

For versions prior to MR3 you can create a Host Integrity rule that disables the drivers using the following settings:
    • Add a Custom Requirement to your Host Integrity rule.
    • Add a "Registry: Set registry value" rule with the key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysGuard", the value name "Start" and the DWORD value "4".
    • Add a "Registry: Set registry value" rule with the key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysPlant", the value name "Start" and the DWORD value "4".
    • Apply the new Host Integrity rule to the group containing the clients you which to disable the drivers on.
After the next reboot the OS Protection and Buffer Overflow Protection drivers will not be loaded.




The same method can be used with the Symantec Endpoint Protection 11.x agent for the SysPlant driver if needed.






Legacy ID



2007267476677998


Article URL http://www.symantec.com/docs/TECH103259


Terms of use for this information are found in Legal Notices