Video Screencast Help

logs referencing SEP applications

Created: 07 Nov 2012 • Updated: 09 Nov 2012 | 3 comments
This issue has been solved. See solution.

Can anyone explain exactly what SEP is telling me here? Is the application referenced in the 9th field mucking with the SEP application in some way? These aren't always malicious, but they are often enough to be a pretty good indicator of compromise.

Many thanks in advance!

[system name redacted],Allowed,"C:\Program Files\Symantec AntiVirus\SmcGui.exe",,Begin: 2012-11-07 00:33:54,End: 2012-11-07 00:33:54,Rule: ,3532,C:/Documents and Settings/[redacted]/Application Data/Qbbkba.exe,0,,C:/Program Files/Symantec AntiVirus/SmcGui.exe,User: [redacted],Domain: [redacted]

[system name redacted],Allowed,"C:\Program Files\Common Files\Symantec Shared\ccApp.exe",,Begin: 2012-11-07 06:31:20,End: 2012-11-07 06:31:20,Rule: ,3336,C:/WINDOWS/system32/JavaMachine.exe,0,,C:/Program Files/Common Files/Symantec Shared/ccApp.exe,User: [redacted],Domain: [redacted]

Comments 3 CommentsJump to latest comment

.Brian's picture

What log was this in? tamper protection or firewall?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

emcee's picture

Hmm... I'm not actually sure. We dump all of the logs to syslog and process them there. I can't find these logs in SEPM (though I'm sure they must be in there somewhere). I'll dig around some more and see what I can find.

Rafeeq's picture

its a tamper protection alert, create an exception for the same.

SOLUTION