Video Screencast Help

CSCRIPT.EXE in tamper protection events

Created: 12 Nov 2013 • Updated: 13 Nov 2013 | 5 comments

Dear all,

I'm using SEP 12.1 RU2 in my environment. Recently I have observed that I'm getting entries of cscript.exe tampering with snac.exe.

Do anyone has any clue about it?

Operating Systems:

Comments 5 CommentsJump to latest comment

James007's picture


You can Create Tamper Protection Exceptions

What should I do when I get a Tamper Protection Alert?

How to Create Exceptions or Exclusions for Tamper Protection Alerts that have already been logged

Creating Tamper Protectin Exception

Darshan G. Parab's picture

Hi James,

Thanks for reply. But my concern is not about creating a tamper protection exception. I'm intersted in knowing if this behaviour is normal and what is the cause behinde it.

ᗺrian's picture

For some reason it is trying to touch a process related to SEP. In order to find out what it's doing, you need to use Process Monitor or another similar tool to look at file/registry events.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

John Q.'s picture

cscript.exe is not specific to an application/script, and can therefore be used for many purposes.

Did you identify any activity (e.g. scheduled task, maintenance script, 3rd party tool, update, user activity through command-line) running at the time when Tamper alert is triggered?

Tamper event details are also important here:

 - Which SNAC element is actually reported in the event (e.g. EXE, file, registry value)?

 - What does cscript tries to do against it (e.g. Open Process/Terminate in the case of SNAC.EXE, Modify in the case of registry value)?

Please remember to mark the proper comment as SOLUTION:
 - to identify threads that do not require further assistance
 - to let other visitors know how to fix such issue

Beppe's picture


in environments with SNAC in use, cscript.exe is used in some HI rules, for example those in the templates about password complexity, age, etc.

I've been told by Symantec engineering that due to some required internal checks on the status of SEP processes while running scripts, those tamper protection alerts are triggered, this is expected, i.e. "by design", the only solution is to add a tamper protection exception (or not log those events).