Tamper Protection alerts are triggered on Citrix servers running Symantec Endpoint Protection 12.1.

Article:TECH162566  |  Created: 2011-06-16  |  Updated: 2012-01-07  |  Article URL http://www.symantec.com/docs/TECH162566
Article Type
Technical Solution


Issue



If Symantec Endpoint Protection (SEP) is configured to notify the user of Tamper Protection violations, you will see an alert dialog box for an Actor Process related to Citrix memory optimization.


Cause



Tamper Protection is triggering due to Citrix Virtual Memory Optimization.
 


Solution



  1. Log on to the Symantec Endpoint Protection Manager Console with an administrator account.
  2. If you already have an Exceptions policy, proceed to step 3. Otherwise:
    1. Click Policies, then Exceptions.
    2. Click Add an Exceptions policy.
    3. Give the policy a suitable name, then click OK.
    4. Click Yes at the Assign Policy prompt.
    5. Place a checkmark next to the group(s) with your Citrix server(s).
    6. Click Assign finish assigning the policy.
  3. Click Monitors, then click the Logs tab.
  4. In Log Type, select Application and Device Control.
  5. In Log Content, select Application Control.
  6. Click Advanced Settings >>.
  7. In Event Type, select Tamper Protection.
  8. If necessary, change the Time range to a range that includes the last Tamper Protection event.
  9. Click View Log, you will be shown a list of Tamper Protection Violations.
  10. Select an appropriate violation and, at the top of the window, choose Add Process to Exception Policy, then click Start.
  11. Confirm the file to be excluded is correct.
  12. Click Policies, then Exceptions.
  13. Select all the Exceptions policies you wish to add the exception to.
  14. Click OK to complete the process.
  15. If you receive a message from your browser about closing the window, click Yes.
  16. Click Policies, then Centralized Exceptions.
  17. Double-click the Centralized Exception policy you added the new exception to. The policy will open.
  18. On the left-hand side, click Centralized Exceptions and confirm the file is listed and has an Action of Ignore.

 Note: A Reboot is required after applying Tamper Protection Exception changes.


Supplemental Materials

SourceETrack
Value2279683


Article URL http://www.symantec.com/docs/TECH162566


Terms of use for this information are found in Legal Notices