Endpoint Protection

 View Only

  • 1.  Can you script disabling SAV tamper protection before installing SEP?

    Posted Dec 03, 2009 01:57 PM
    Hi, we have some admins at our school who are trying to migrate clients from SAV/SCS to SEP and we're having some trouble with tamper protection. Many of these clients are not managed, and they are running different versions of SAV/SCS, though they are all 10.x or 3.x. They would like to use Active DIrectory GPOs to install SEP, however when the policy is applied to a system with SAV and tamper protection enabled, the result is a broken uninstall of SAV that needs to be CleanWiped before SEP can be installed manually. So we don't want to apply this GPO until we're sure all the clients have SAV removed at least have tamper protection disabled.

    So is there any scriptable way to do this? Even the managed clients are a problem because they report to different servers with different groups and we don't want to disable tamper protection for everyone (though we'll do this if absolutely necessary). But the unmanaged clients are more of a problem, and we would like to create some sort of script that we can push out with GPOs to ensure tamper protection is OFF before the SEP installer runs. Any thoughts or suggestions? Thanks for the help!

    -Allison


  • 2.  RE: Can you script disabling SAV tamper protection before installing SEP?

    Posted Dec 03, 2009 02:06 PM

    The easiet way is to diable it via registry
    navigate to
    HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\SymProtect\RealTimeScan
    on the right handside you will find a key called Disabled.
    If itts 1---tamper protection is disabled
    if its 0 - tamper protection is enabled
    run this , before install, should take care of the issue. Let me know if you have any other questions / concerns



  • 3.  RE: Can you script disabling SAV tamper protection before installing SEP?

    Posted Dec 03, 2009 02:08 PM
     sc delete SPBBCDrv

    it will delete the Tamper Protection service and will change its start value to 4 = disabled


  • 4.  RE: Can you script disabling SAV tamper protection before installing SEP?

    Posted Dec 03, 2009 05:52 PM
    I ran the command and got the status that the service was marked for deletion, but it never actually gets deleted. I believe the tamper protection is preventing the service from being deleted, that's the whole idea right? Is there any way around this short of disabling tamper protection in the GUI individually on all the machines?

    Also the registry key mentioned doesn't seem to exist in SAV/SCS install, only in SEP. I'm trying to disable tamper protection is SAV so I can install SEP -- is there a similar registry setting in SAV? And won't tamper protection prevent the changes to the registry?

    Thanks for the help,


  • 5.  RE: Can you script disabling SAV tamper protection before installing SEP?

    Posted Dec 04, 2009 12:05 AM

    Hello Jetjaguar,

    I should have mentioned it before
    in sav you will find all the keys under
    intel\landesk,
    here is the complete path for SAV

    HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\Storages\SymProtect\RealTimeScan

    you can disable this under registry

    Tamper protection wont prevent registry changes.

     



  • 6.  RE: Can you script disabling SAV tamper protection before installing SEP?

    Posted Dec 04, 2009 04:09 AM
     It sets the Service -Marked for Deletion --however any service gets deleted only after reboot.
    However by running the command it sets the Tamper Protection to Disabled ( i.e it changes the value of START from 1 to 4 )