How to Create Exceptions or Exclusions for Tamper Protection Alerts that have already been logged

Article:TECH92553  |  Created: 2009-01-24  |  Updated: 2010-01-23  |  Article URL http://www.symantec.com/docs/TECH92553
Article Type
Technical Solution


Environment

Issue





Symptoms
This is an example of errors you might see already being logged.


SYMANTEC TAMPER PROTECTION ALERT
Target: C:\Program Files\Symantec\LiveUpdate\LUALL.EXE
Event Info: Set Information Process
Action Taken: Blocked
Actor Process: D:\Program Files\Microsoft Virtual Server\vmh.exe (PID 3020)
Time: Wednesday, January 16, 2008 3:48:06 PM

SYMANTEC TAMPER PROTECTION ALERT
Target: C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
Event Info: Set Information Process
Action Taken: Blocked
Actor Process: D:\Program Files\Microsoft Virtual Server\vmh.exe (PID 3020)
Time: Wednesday, January 16, 2008 3:48:06 PM

SYMANTEC TAMPER PROTECTION ALERT
Target: D:\Program Files\sav\VPTray.exe
Event Info: Set Information Process
Action Taken: Blocked
Actor Process: D:\Program Files\Microsoft Virtual Server\vmh.exe (PID 3020)
Time: Wednesday, January 16, 2008 3:48:06 PM

SYMANTEC TAMPER PROTECTION ALERT
Target: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Event Info: Set Information Process
Action Taken: Blocked
Actor Process: D:\Program Files\Microsoft Virtual Server\vmh.exe (PID 3020)
Time: Wednesday, January 16, 2008 3:48:06 PM


Cause



"SYMANTEC TAMPER PROTECTION ALERT" Points to CPU Utilization Management Executables.

Solution



How to add a centralized Exceptions Policy if you don't already have one to edit

1. Open the Symantec Endpoint Protection Manager.
2. Click Policies.
3. Click Centralized Exceptions.
4. Click "Add a Centralized Exceptions Policy".
5. Click OK.
6. Assign Policy dialog box will pop up.
7. Click YES to assign the policy to the group or groups of your choice.
8. Check the box next to the group to which you would like to assign the policy.
9. Click Assign.

How to create exclusions and exceptions for: Tamper Protection, Application Control Driver, or Application Control Rules.

Example: Tamper Protection

In order for the following process to work you must have alerts already generated.

1. Click Monitors.
2. Click the Logs tab.
3. For Log type, choose Application & Device Control.
4. Click Advanced Settings.
5. For Event Type, select Tamper Protection.
6. Click View Logs.
7. Click a tamper protection event that contains the executable to exclude.
8. At the top of the table, in the Action box, choose: Add file to Centralized Exceptions Policy.
9. Click Start.
10. Check Process File to be added is correct. This will be the Actor Process, not the Target.
11. Select the Centralized Exception policy to which you want to add the new exception.
12. Click OK.
13. Click OK at the Message box .
14. When client checks in with SEPM it will get new policy based on heartbeat interval.

Note: Default Communication Settings is set to Push, which means the server has a constant connection to the clients. The SEPM will prompt the clients to check in right away for updated policy.





Legacy ID



2009022412404548


Article URL http://www.symantec.com/docs/TECH92553


Terms of use for this information are found in Legal Notices