Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

NT Kernal changed and tamper alert messages question

Created: 11 Feb 2013 | 5 comments

I received the following messages and wonder if my computer is infected or if there is something I should do.

The first message when the computer was booted up was that the NT Kernal had changed since the last time I used it. The message noted this file:

c:\windows\system32\ntoskrnl.exe

I looked on the forum and decided I should allow it.

Then I received the following message:

SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe
Event Info:  Send Terminate Message Process
Action Taken:  Logged
Actor Process:  C:\WINDOWS\EXPLORER.EXE (PID 3428)
Time:  Monday, February 11, 2013  7:58:00 PM

Should I do anything about these messages?

Comments 5 CommentsJump to latest comment

Ashish-Sharma's picture

HI,

This is known issue..

please Migrate the SEP client to the Latest version of SEP 12.1 RU2

Check this thread

https://www-secure.symantec.com/connect/forums/symantec-warning-about-xampp

 

Thanks In Advance

Ashish Sharma

 

 

SebastianZ's picture

Any chance you can upgrade to RU2? There have been already similar threads:

https://www-secure.symantec.com/connect/forums/tam...

https://www-secure.symantec.com/connect/forums/end...

...you can create a tamper protection exceptions as a workaround:

How to Create Exceptions or Exclusions for Tamper Protection Alerts that have already been logged
http://www.symantec.com/business/support/index?page=content&id=TECH92553

Creating Tamper Protectin Exception
http://symantec.com/docs/HOWTO55213

...one note to that you may want to check with symantec security response and submit the C:\WINDOWS\EXPLORER.EXE for analysis as it should not normaly require direct access to the ccsvchst.exe process

Mithun Sanghavi's picture

Hello,

I agree with Sebastian's suggestion.

Please either create a Tamper Protection Exception by following the steps below:

How to Create Exceptions or Exclusions for Tamper Protection Alerts that have already been logged

http://www.symantec.com/business/support/index?page=content&id=TECH92553

Creating Tamper Protection Exception

http://symantec.com/docs/HOWTO55213

OR / AND

Migrate the SEPM / SEP clients to the Latest version of SEP 12.1 RU2

Best practices for upgrading to Symantec Endpoint Protection 12.1.2

http://www.symantec.com/docs/TECH163700

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Chetan Savade's picture

Hi,

Following are the two fixes in SEP 12.1 RU1 MP1 version.

Tamper Protection exceptions are not honored
Fix ID: 2580578
Symptom: Tamper Protection exceptions are not honored. An excluded process will trigger tamper protection.
Solution: The SEP client was sending a delta of the exclusion list to the BASH component. The client was modified to send the complete list to resolve this issue.
 
Folder/file exclusions in SEPM will not accept the ampersand (&) character
Fix ID: 2564781
Symptom: The ampersand (&) character is a valid file/folder-name character on both Windows and Macintosh. Folder/file exclusions in SEPM do not accept the ampersand (&) character.
Solution: SEPM was modified to allow the ampersand (&) character in file/folder exclusions.
 
Reference: http://www.symantec.com/business/support/index?page=content&id=TECH187656
 
By looking at above two fix id's I would also suggest to upgrade to the latest SEP version i.e. SEP 12.1 RU2 (12.1.2015.2015)

 

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<