Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

logs referencing SEP applications

Created: 07 Nov 2012 • Updated: 09 Nov 2012 | 3 comments
This issue has been solved. See solution.

Can anyone explain exactly what SEP is telling me here? Is the application referenced in the 9th field mucking with the SEP application in some way? These aren't always malicious, but they are often enough to be a pretty good indicator of compromise.

Many thanks in advance!

[system name redacted],Allowed,"C:\Program Files\Symantec AntiVirus\SmcGui.exe",,Begin: 2012-11-07 00:33:54,End: 2012-11-07 00:33:54,Rule: ,3532,C:/Documents and Settings/[redacted]/Application Data/Qbbkba.exe,0,,C:/Program Files/Symantec AntiVirus/SmcGui.exe,User: [redacted],Domain: [redacted]

[system name redacted],Allowed,"C:\Program Files\Common Files\Symantec Shared\ccApp.exe",,Begin: 2012-11-07 06:31:20,End: 2012-11-07 06:31:20,Rule: ,3336,C:/WINDOWS/system32/JavaMachine.exe,0,,C:/Program Files/Common Files/Symantec Shared/ccApp.exe,User: [redacted],Domain: [redacted]

Comments 3 CommentsJump to latest comment

Brɨan's picture

What log was this in? tamper protection or firewall?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

emcee's picture

Hmm... I'm not actually sure. We dump all of the logs to syslog and process them there. I can't find these logs in SEPM (though I'm sure they must be in there somewhere). I'll dig around some more and see what I can find.

Rafeeq's picture

its a tamper protection alert, create an exception for the same.

SOLUTION