What should I do when I get a Tamper Protection Alert?

Article:TECH97931  |  Created: 2009-01-07  |  Updated: 2009-01-09  |  Article URL http://www.symantec.com/docs/TECH97931
Article Type
Technical Solution


Issue





Symptoms

On your machine you receive a pop-up alert from Symantec AntiVirus or Symantec Endpoint Protection regarding a Tamper Protection alert.


Solution




1. In the alert you should firstly identify the Target, the Actor Process and the Action Taken.
    The Target is the process which is being attacked.
    The Actor Process is process that is doing the attacking.
    The Action Taken is the action that Tamper Protection performed to respond to the attack.

2. Next consider if the Actor Process is a valid process or could it be suspicious?

3. If the Actor Process is a legitimate process:

If you are using Symantec Endpoint Protection (SEP) you might want to consider adding a Tamper Protection exclusion. For more information please read:

Title: How to Create Exceptions or Exclusions for Tamper Protection Alerts that have already been logged.
Doc ID: 2009022412404548
URL: http://service1.symantec.com/support/ent-security.nsf/docid/2009022412404548

If you are using Symantec AntiVirus (SAV) 10.x or Symantec Client Security (SCS) 3.x unfortunately there is no facility to add Tamper Protection exclusions. Tamper Protection was introduced to Symantec AntiVirus 10.x and Symantec Client Security 3.x as an additional security feature. You can disable this feature but you should consider this very carefully as you are reducing the level of security on your machine(s). For more information on configuring Tamper Protection please read:

Title: Using Tamper Protection in Symantec AntiVirus 10.x and Symantec Client Security 3.x
Doc ID: 2005033111081548
URL: http://service1.symantec.com/ent-security.nsf/docid/2005033111081548

4. If you suspect the Actor Process could be a potential threat to your environment you should submit the suspicious process to Symantec Security Response for analysis so that we can verify if the process is malicious or not.

For information on how to submit a file to Security Response this please read:

Title: How to Use the Web Submission Process
Doc ID: 2007090711312848
URL: http://service1.symantec.com/support/ent-security.nsf/docid/2007090711312848

Title: The Symantec Security Response sample submission process
Doc ID: 199822105339
URL: http://service1.symantec.com/support/ent-security.nsf/docid/199822105339

You should also run a Full System Scan with the latest definitions and check if there are any Risks being detected by your AntiVirus product in the Risk History/Log.

5. Alternatively you can also change the actions taken on the event, in SEP you can set the action to 'Block it and log the event' or 'Log the event only' and in SAV/SCS you can set the values to 'Block' or 'Log Only'



References

For more information on configuring Tamper Protection features please refer to your product manual either from the Documentation folder on your CD/download, alternatively they are available via the ftp links:






Legacy ID



2009120709215048


Article URL http://www.symantec.com/docs/TECH97931


Terms of use for this information are found in Legal Notices