Application Control Events questions (Constant emails)

View Only

Back to discussions

Expand all | Collapse all

Application Control Events questions (Constant emails)

1. Application Control Events questions (Constant emails)

Recommend

Migration User

Posted Aug 23, 2011 10:32 AM

SEPM 12.1

client version 12.1.671.4971

ever sonce allowing the monitoring an emailing of application control events, it seems like i get multiple a day. on 8/16, i got around 30-50 from the same client. it is an allow aleart, but it is constantly sending me an email stating that is is allowed.

can someone help me determind what is causing the alert on this one machine. Also, how is the event triggered.

from what i can tell: search protocol host is triggering this alert. please help me decipher and look for a possibel resolutions.

08/12/2011 10:32:41

Tamper Protection
Major
1

XXXXX.com
AV1
My Company\Computers From AD\Computers

CD101231
10.0.12.12
Windows 7

SYSTEM

Allow

C:\WINDOWS\SYSTEM32\SEARCHPROTOCOLHOST.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe

"C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe"

Thanks

Ian

2. RE: Application Control Events questions (Constant emails)

0 Recommend
Rafeeq
Posted Aug 23, 2011 11:01 AM

Reply Reply Privately
this is caused by tamper protection, this is not from application and device control.

create the tamper protection exception for this

http://www.symantec.com/business/support/index?page=content&id=TECH104326
3. RE: Application Control Events questions (Constant emails)

0 Recommend
Trusted Advisor

Mithun Sanghavi
Posted Aug 23, 2011 11:24 AM

Reply Reply Privately
Hello,

Here are Articles which speaks on the same issue.

Please check this Articles.

Symantec Endpoint Protection 12.1 triggers Tamper Protection on Citrix server

http://www.symantec.com/docs/TECH163672

Tamper Protection is triggered on Citrix servers running Symantec Endpoint Protection 12.1

http://www.symantec.com/docs/TECH162566

Symantec Endpoint Protection 12.1: Tamper Protection causes continuous reboot after cloning or sysprep

http://www.symantec.com/docs/TECH163030

Hope this may help you!!!

4. RE: Application Control Events questions (Constant emails)

Recommend

Migration User

Posted Aug 23, 2011 11:33 AM

i apologize, i knew it was tamper protection, just names it against the warning in the email. it is not a warning as it is an informative email. i was just curious if this is the only option, to make an exception.

after doing some digging, i noticed a few others that call this email.

when one ouf our developers run Visual Studios, it throws up this application control event,

Event Time	Event Type Severity Number	Domain Server Group	Computer IP Address Operating System	Client User Name	Rule Name Action	Caller process Target	Event Description
08/22/2011 08:49:44	Tamper Protection Major 1	XXXX.com AV1 My Company\Computers From AD\Computers	CD101224 10.0.10.14 Windows 7	dbrown	Allow	C:\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0\COMMON7\IDE\DEVENV.EXE C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe	"C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe"
08/22/2011 08:49:44	Tamper Protection Major 1	XXXX.com AV1 My Company\Computers From AD\Computers	CD101224 10.0.10.14 Windows 7	dbrown	Allow	C:\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0\COMMON7\IDE\DEVENV.EXE C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe	"C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe"
08/22/2011 08:49:44	Tamper Protection Major 1	XXXX.com AV1 My Company\Computers From AD\Computers	CD101224 10.0.10.14 Windows 7	dbrown	Allow	C:\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0\COMMON7\IDE\DEVENV.EXE C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe	"C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe"

and one of our conference mahcines will throw up an application control event which looks like a reference to IE

Event Time	Event Type Severity Number	Domain Server Group	Computer IP Address Operating System	Client User Name	Rule Name Action	Caller process Target	Event Description
08/23/2011 03:02:33	Tamper Protection Major 1	XXXXcom AV1 My Company\Computers From AD\Service Computers	CD101211 10.0.12.21 Windows 7	SYSTEM	Allow	C:\WINDOWS\TEMP\IE984F4.TMP\IE9-SUPPORT\IENRCORE.EXE C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe	"C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe"
08/23/2011 03:02:33	Tamper Protection Major 1	XXXX.com AV1 My Company\Computers From AD\Service Computers	CD101211 10.0.12.21 Windows 7	SYSTEM	Allow	C:\WINDOWS\TEMP\IE984F4.TMP\IE9-SUPPORT\IENRCORE.EXE C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe	"C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe"

again, just trying to understand what is causing this email and if i can remedy this other than an exception on the SEP manager.

thanks for the previous answers and thanks in advance

Endpoint Protection

Application Control Events questions (Constant emails)

Migration UserAug 23, 2011 10:32 AM

RafeeqAug 23, 2011 11:01 AM

Mithun SanghaviAug 23, 2011 11:24 AM

Migration UserAug 23, 2011 11:33 AM

1. Application Control Events questions (Constant emails)

2. RE: Application Control Events questions (Constant emails)

3. RE: Application Control Events questions (Constant emails)

4. RE: Application Control Events questions (Constant emails)