Endpoint Protection

This is totally NEW since the clients went to SEP 12.1 I never saw such things in SEP 11.xxxx ever. Now I see this all the time, daily, several times a day.  Odd processes - things you'd think are very benign, innocent and trusted, now show up in the logs as attempting to "touch" SEP processes. Check the caller processes............. and the targets.... why?

Examples include:

Event time: 03/07/2012 09:36:00
Severity: Minor
Begin time: 03/07/2012 09:36:00
End time: 03/07/2012 09:36:00
Event type:
Violation type:
Action: Block
Rule ID:
Rule name:
File Size:
Caller process ID: 5988
Caller process name: C:\PROGRAM FILES\VERIZON WIRELESS\VZACCESS MANAGER\VZACCESS MANAGER.EXE
Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe
User name: Michelle.XXXXXXX
Description: "C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe"
Device instance ID:
Alert: Yes

So why is the Verizon wireless manager touching a file called ccSvcHst (looks a whole lot like the MS service host!)

Another:

Event time: 03/07/2012 11:16:20
Severity: Minor
Begin time: 03/07/2012 11:16:20
End time: 03/07/2012 11:16:20
Event type:
Violation type:
Action: Block
Rule ID:
Rule name:
File Size:
Caller process ID: 1512
Caller process name: C:\PROGRAM FILES (X86)\MICROSOFT VISUAL STUDIO 10.0\COMMON7\IDE\DEVENV.EXE
Target: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe
User name: jim.XXXXXXXX
Description: "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe"
Device instance ID:
Alert: Yes

And more:

Event time: 03/07/2012 09:36:00 
Severity: Minor 
Begin time: 03/07/2012 09:36:00 
End time: 03/07/2012 09:36:00 
Event type: 
Violation type: 
Action: Block 
Rule ID: 
Rule name: 
File Size: 
Caller process ID: 5988 
Caller process name: C:\PROGRAM FILES\VERIZON WIRELESS\VZACCESS MANAGER\VZACCESS MANAGER.EXE 
Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\Smc.exe 
User name: Michelle.XXXXX
Description: "C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\Smc.exe" 
Device instance ID: 

I've got a few more, but maybe someone can see the pattern now............. what's up?

These seem like ligitimate processes trying to access SEP files. Are these showing up in tamper protection? if so, open a case with Symantec with the SST logs.

I'm having the same issue with VZW access manager. 

SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe

Event Info:  Create Process

ActionTaken:  Blocked

Actor Process:  C:\PROGRAM FILES (X86)\VERIZON WIRELESS\VZACCESS MANAGER\VZACCESS MANAGER.EXE (PID 7048)

Time:  Thursday, March 15, 2012  3:49:17 PM

I set a tamper protection exception in the exception policy for the executable and it's still giving me an error.

Check the below docs and confirm that the exclusions were made as suggested.

What should I do when I get a Tamper Protection Alert?

http://www.symantec.com/business/support/index?page=content&id=TECH97931

How to Create Exceptions or Exclusions for Tamper Protection Alerts that have already been logged

http://www.symantec.com/business/support/index?page=content&id=TECH92553

Creating Tamper Protectin Exception

http://symantec.com/docs/HOWTO55213

I have problems with the "solution".

A. WHY are any of these processes touching SEP?

B. WHY is this JUST NOW starting since SEP 12.1 - why not SEP 11.xx????

C. I do not simply go in and make exclusions when something tries to do something to SEP - isn't that sort of risky? Yes, it's a legit process, but what if it's attempting to modify SEP in some way?  I asked because I want a response as to what it could possibly be doing........

D. It's not just the Verizon app - Dragon Naturally Speaking is doing it too!

E. What is ccSvcHst.exe anyway, and why am I suddenly seeing it in all sorts of logs when I never saw it before in ANY logs with SEP 11.xxx?

F. Why is your ccSvcHst (looks almost like Microsoft's service host, doesn't it??) attempting to launch BRIDGE.SYS?  We block any access to bridge.sys as it's a great way to be sure no one can setup any connection between our wired LAN and some rogue wireless AP - it's happened before when a user here decided, cool, I'll connect to this wireless AP in that building..." and we suddenly saw strange things on our wired net. So, I use SEP to block the launching of BRIDGE.SYS, however, since SEP 12.1 I see SEP attempting to touch it! Why would ccSvcHst be interested in the network bridge driver? Why was it not interested in v11.xx?

There's a lot in SEP 12.1 that's apparently new and undocumented, and we were not told about - it's taking our existing rules and blocks and wreaking havoc in the logs.

ccSvcHst.exe is Symantec service framework used in SEP GUI and other functionalities.

About your questions on why the process is trying to access/modify SEP, I am afraid i cannot answer that without a very detailed analysis. You can however have a word with the app vendor and create a case with Symatnec. Still Symantec may not be able to give you a clear answer to this question.

About documentations, you can raise this in IDEA.