Endpoint Protection

 View Only

  • 1.  How to simulate a Tamper Protection event?

    Posted Feb 08, 2013 02:42 PM

    I'd like to simulate an event that looks like a Tamper Protection event - just to test that my alert is working.  What is a simple, safe thing that I can do to trigger such an alert?

     

    Many thanks,
    Mark



  • 2.  RE: How to simulate a Tamper Protection event?

    Posted Feb 08, 2013 02:49 PM

    Try to kill a SEP process

    ccSvcHst.exe

    Smc.exe

    Make sure you have logging turned on and check your Tamper Protection log after you do it.

    As long as you have tamper protection turned on, you will simply get an error message along the lines of "Access Denied"



  • 3.  RE: How to simulate a Tamper Protection event?

    Posted Feb 08, 2013 02:58 PM

    Other test - you can try enabling sylink logging - it is done through the registry:

    http://www.symantec.com/business/support/index?page=content&id=TECH104758

    - with tamper protection enabled you won't be able to change the registry keys.



  • 4.  RE: How to simulate a Tamper Protection event?

    Posted Feb 11, 2013 05:17 AM

    Here are a couple articles that may help explain Tamper Protection and how to test it:

     

    HOW TO change the LiveUpdate source of an unmanaged Windows Symantec Endpoint Protection 12.1 Client
    http://www.symantec.com/docs/TECH166129 
     


    About Tamper Protection
    http://www.symantec.com/docs/HOWTO55267 


     



  • 5.  RE: How to simulate a Tamper Protection event?

    Trusted Advisor
    Posted Feb 12, 2013 01:40 AM

    Hello,

    Another Test you could perform is to change the sylink.xml in SEP 12.1. Without stopping the Tamper protection try changing the sylink.xml file.

    Check this Article:

    How to change the sylink.xml file in Symantec Endpoint Protection (SEP) 12.1

    http://www.symantec.com/docs/TECH157585

    It is possible to manually replace the sylink.xml file, however in order to do so Tamper Protection must first be disabled. 

    This can be done on the client by going to Change Settings > Click Configure Settings under Client Management > Tamper Protection (Tab) > Then uncheck the box that saysProtect Symantec security software from being tampered with or shut down.

    Once tamper protection is disabled:

    1. Stop the SMC service by going to Start > Run > type in > smc -stop.
    2. Once the service is stopped copy the sylink.xml file from the new SEPM and on the client side put that sylink.xml file under

          "\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<current_install_build_number>\Data\Config"

    For Windows 7/2008/vista :

    C:\Users\All Users\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Config

    1. Replace the existing file and restart the SMC service with Start > Run > smc -start


  • 6.  RE: How to simulate a Tamper Protection event?

    Posted Feb 12, 2013 01:51 AM

    Simple step

    open cmd prompt

    taskkill /f /im ccSvcHst.exe

     



  • 7.  RE: How to simulate a Tamper Protection event?

    Posted Feb 12, 2013 08:24 AM

    Thanks everyone for your input!  I really appreciate it  :-)

     

    Mark