Endpoint Protection

 View Only

  • 1.  NT Kernal changed and tamper alert messages question

    Posted Feb 12, 2013 12:08 AM

    I received the following messages and wonder if my computer is infected or if there is something I should do.

    The first message when the computer was booted up was that the NT Kernal had changed since the last time I used it. The message noted this file:

    c:\windows\system32\ntoskrnl.exe

    I looked on the forum and decided I should allow it.

    Then I received the following message:

    SYMANTEC TAMPER PROTECTION ALERT

    Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe
    Event Info:  Send Terminate Message Process
    Action Taken:  Logged
    Actor Process:  C:\WINDOWS\EXPLORER.EXE (PID 3428)
    Time:  Monday, February 11, 2013  7:58:00 PM

    Should I do anything about these messages?



  • 2.  RE: NT Kernal changed and tamper alert messages question

    Posted Feb 12, 2013 12:21 AM

    HI,

    This is known issue..

    please Migrate the SEP client to the Latest version of SEP 12.1 RU2

    Check this thread

    https://www-secure.symantec.com/connect/forums/symantec-warning-about-xampp

     



  • 3.  RE: NT Kernal changed and tamper alert messages question

    Posted Feb 12, 2013 01:01 AM

    Run a full system scan. 



  • 4.  RE: NT Kernal changed and tamper alert messages question

    Posted Feb 12, 2013 02:11 AM

    Any chance you can upgrade to RU2? There have been already similar threads:

    https://www-secure.symantec.com/connect/forums/tamper-protection-alerts-are-getting-out-hand

    https://www-secure.symantec.com/connect/forums/endpoint-protection-12-tamper-protection-alert-explorerexe

    ...you can create a tamper protection exceptions as a workaround:

    How to Create Exceptions or Exclusions for Tamper Protection Alerts that have already been logged
    http://www.symantec.com/business/support/index?page=content&id=TECH92553

    Creating Tamper Protectin Exception
    http://symantec.com/docs/HOWTO55213

    ...one note to that you may want to check with symantec security response and submit the C:\WINDOWS\EXPLORER.EXE for analysis as it should not normaly require direct access to the ccsvchst.exe process



  • 5.  RE: NT Kernal changed and tamper alert messages question

    Trusted Advisor
    Posted Feb 12, 2013 06:57 AM

    Hello,

    I agree with Sebastian's suggestion.

    Please either create a Tamper Protection Exception by following the steps below:

    How to Create Exceptions or Exclusions for Tamper Protection Alerts that have already been logged

    http://www.symantec.com/business/support/index?page=content&id=TECH92553

    Creating Tamper Protection Exception

    http://symantec.com/docs/HOWTO55213

    OR / AND

    Migrate the SEPM / SEP clients to the Latest version of SEP 12.1 RU2

    Best practices for upgrading to Symantec Endpoint Protection 12.1.2

    http://www.symantec.com/docs/TECH163700

    Hope that helps!!



  • 6.  RE: NT Kernal changed and tamper alert messages question

    Broadcom Employee
    Posted Feb 12, 2013 07:12 AM

    Hi,

    Following are the two fixes in SEP 12.1 RU1 MP1 version.

    Tamper Protection exceptions are not honored
    Fix ID: 2580578
    Symptom: Tamper Protection exceptions are not honored. An excluded process will trigger tamper protection.
    Solution: The SEP client was sending a delta of the exclusion list to the BASH component. The client was modified to send the complete list to resolve this issue.
     
    Folder/file exclusions in SEPM will not accept the ampersand (&) character
    Fix ID: 2564781
    Symptom: The ampersand (&) character is a valid file/folder-name character on both Windows and Macintosh. Folder/file exclusions in SEPM do not accept the ampersand (&) character.
    Solution: SEPM was modified to allow the ampersand (&) character in file/folder exclusions.
     
     
    By looking at above two fix id's I would also suggest to upgrade to the latest SEP version i.e. SEP 12.1 RU2 (12.1.2015.2015)