Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

How to simulate a Tamper Protection event?

Created: 08 Feb 2013 | 6 comments

I'd like to simulate an event that looks like a Tamper Protection event - just to test that my alert is working.  What is a simple, safe thing that I can do to trigger such an alert?

Many thanks,
Mark

Comments 6 CommentsJump to latest comment

.Brian's picture

Try to kill a SEP process

ccSvcHst.exe

Smc.exe

Make sure you have logging turned on and check your Tamper Protection log after you do it.

As long as you have tamper protection turned on, you will simply get an error message along the lines of "Access Denied"

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SebastianZ's picture

Other test - you can try enabling sylink logging - it is done through the registry:

http://www.symantec.com/business/support/index?pag...

- with tamper protection enabled you won't be able to change the registry keys.

Mick2009's picture

Here are a couple articles that may help explain Tamper Protection and how to test it:

HOW TO change the LiveUpdate source of an unmanaged Windows Symantec Endpoint Protection 12.1 Client
http://www.symantec.com/docs/TECH166129 
 

About Tamper Protection
http://www.symantec.com/docs/HOWTO55267 

With thanks and best regards,

Mick

Mithun Sanghavi's picture

Hello,

Another Test you could perform is to change the sylink.xml in SEP 12.1. Without stopping the Tamper protection try changing the sylink.xml file.

Check this Article:

How to change the sylink.xml file in Symantec Endpoint Protection (SEP) 12.1

http://www.symantec.com/docs/TECH157585

It is possible to manually replace the sylink.xml file, however in order to do so Tamper Protection must first be disabled. 

This can be done on the client by going to Change Settings > Click Configure Settings under Client Management > Tamper Protection (Tab) > Then uncheck the box that saysProtect Symantec security software from being tampered with or shut down.

Once tamper protection is disabled:

  1. Stop the SMC service by going to Start > Run > type in > smc -stop.
  2. Once the service is stopped copy the sylink.xml file from the new SEPM and on the client side put that sylink.xml file under

      "\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<current_install_build_number>\Data\Config"

For Windows 7/2008/vista :

C:\Users\All Users\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Config

  1. Replace the existing file and restart the SMC service with Start > Run > smc -start

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Rafeeq's picture

Simple step

open cmd prompt

taskkill /f /im ccSvcHst.exe

saturnnights's picture

Thanks everyone for your input!  I really appreciate it  :-)

Mark