Endpoint Protection

Hi,

Do you have any ideas on how to prevent managed users from initiating the smc.exe -stop command from windows run command?
Can we do a policy on the SEP which will block users from initiating the smc.exe -stop command?

thanks,
jun

 Why not disable run option for users? Control Admin access for users. Not sure if we can do it from SEP policy

Hi Jhun,

Pls enable tamper protection from SEPM and deploy accross all the machines in your netwrok.

Select the option Block & Log.

User will be able ot run the smc.exe -stop command but the SMC service always run in kernel mode. It will show the user as stop, but it is still running in the background.

Also You can put password protection in SEPM to stop the SMC services.

Rgrds,
SAM

go to clients -> policies -> general settings for a group amd in security settings set a password to stop sep this way smc -stop won't work (you will have to use smc -p password -stop)

The best thing is to set a password so user cannot stop the service of smc.

Tamper protection works - we don't have a password, but I still can't stop the services..........

Set a password  for  this in  group settings  so that it will ask for password if some one tries the command

You can add a password to make it tough for them but to be clear, You can never prevent an administrator from getting across whatever security you put. The simplest is to disable the service and reboot the computer, Use Drwatson to debug and kill the process...... 

You can do it by Dissabling the Dissable Symantec Endpoint Protection from the users machine

Enabling password to stop the service would be the most effective and easiet way to achieve this.

 Enabling passwords does not stop it. As Sandeep put it rightly, admin accounts are kings. You have to do passoerds plus remove admin access for users...Its a two pronged approach. Hope this answers your question