Endpoint Protection

 View Only

  • 1.  Add this to Centralized exceptions policy?

    Posted Feb 21, 2011 05:47 PM

    I keep getting alerts about the altiris agent, but only on one machine (which happens to be our SEP server)

     

    Event Time Event Type
    Severity
    Number    		 Domain
    Server
    Group    		 Computer
    IP Address
    Operating System    		 Client User Name Rule Name
    Action    		 Caller process
    Target    		 Event Description
    02/21/2011 15:16:02 Tamper Protection
    Minor
    1    		 Default
    SRV-xx1
    My Company\Internal Servers    		 SRV-xx1
    Windows Server 2008    		 xxxxx  
    Block    		 C:/Windows/system32/taskmgr.exe
    D:/Program Files/Altiris Agent/AeXAgentUIHost.exe    		 "D:\Program Files\Altiris Agent\AeXAgentUIHost.exe"

    When I use the logs to add an exception (Monitor > Logs then using the Add file to Centralized Execptions Policy) it's adding taskmgr.exe.  I guess I'm confused about how to read the log above, but I would assume I would want to add AeXAgentUIHost.exe as the exception, not taskmanager.  Or is it that SEP think the task manager is trying to attack AexAgentUIHost? 

    Could someone clarify this for me?

     

    Thanks,

    Dan



  • 2.  RE: Add this to Centralized exceptions policy?

    Posted Feb 21, 2011 05:50 PM

     

    Caller process
    Target    		 Event Description
    C:/Windows/system32/taskmgr.exe
    D:/Program Files/Altiris Agent/AeXAgentUIHost.exe    		 "D:\Program Files\Altiris Agent\AeXAgentUIHost.exe"

     Oops, couldn't see the last two columns after I posted...



  • 3.  RE: Add this to Centralized exceptions policy?
    Best Answer

    Posted Feb 21, 2011 06:07 PM

    This is a Tamper Protection Alert not a security risk event so add a Tamper Protection Exclusion for this file.

    http://service1.symantec.com/SUPPORT/ent-security.nsf/2326c6a13572aeb788257363002b62aa/c291bf8d5d97b5f68025736200576f9d?OpenDocument



  • 4.  RE: Add this to Centralized exceptions policy?

    Posted Feb 22, 2011 06:19 AM

    Did you try to terminate the AeXAgentUIHost.exe process by task manager? In this case tamper protection  intervenes and protects the process from being terminated. (Or the operation is logged.) Yes, the task manager can be the "attacker".



  • 5.  RE: Add this to Centralized exceptions policy?

    Posted Feb 22, 2011 03:04 PM

    Greg, No, It was on startup.  After some reading, I believe the taskmgr was trying to kill the process because it was a duplicate.  I added this exception to the policy, I'll watch to see if it causes issues with our altiris agents.

    Thank you for your help guys. 



  • 6.  RE: Add this to Centralized exceptions policy?

    Posted Feb 22, 2011 03:09 PM

    Hope you made Tamper Protection Exception.