Data Center Security

Hi, 

Im having trouble getting SEP 12.1.6 working properly with SDCS 6.5 and the protection core policy.

It seems that there is a script that is being blocked and Im unable to create a working exception for it.

Details are:

DETAILS

Description                     Process Assignment for CSCRIPT.EXE to svc_nopriv_ps
Policy Name                     sym_win_protection_core_sbp_TMSPRDT
Rule Name                       Programs that services should not execute
Process                         C:\WINDOWS\SYSTEM32\CSCRIPT.EXE
Parent Process                  C:\WINDOWS\SYSTEM32\WINLOGON.EXE
Module Path                     \WINDOWS\SYSTEM32\WLNOTIFY.DLL
Sandbox                         svc_nopriv_ps
Operation                       create
Process ID                      13328
Thread ID                       14048
Parent PID                      4272
Arguments                       C:\WINDOWS\system32\cscript.exe  //E:JScript //Job:AgentHIScript "C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.6306.6100.105\Bin\AVScript16.js" "48640" "Helper.exe" "Symantec.SSHelper" "C:" "22" "C:\WINDOWS\TEMP\" "0"
Process Signature               Microsoft Signed  (00039417)
Parent Process Signature        Microsoft OS Component (00039437)

cscript.exe is blocked: Programs that services should not execute

When I create an exception to this Im struggling with the arguments, they are not fixed so Im trying to wildcard it but it is still being blocked.

//E:JScript //Job:AgentHIScript "C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.6306.6100.105\Bin\AVScript??.js" "?????" "Helper.exe" "Symantec.SSHelper" "C:" "??" "C:\WINDOWS\TEMP\" "0"

When I work with the above question marks it doesnt seem to work. Any ideas anyone?

Thanks a lot!

have you try Create Exceptions or Exclusions for Tamper Protection ?

How to Create Exceptions or Exclusions for Tamper Protection Alerts that have already been logged

https://support.symantec.com/en_US/article.TECH92553.html

Hey James007, thanks for your reply, the main issue is that the SEP client isnt blocking anything through tamper protection, it is the data center security agent that blocks SEP from performing the host integrity check:

Fail to execute Host Integrity check.

Error Type: 0x00200001, Error Code: 0x00000080

Thats because cscript is blocked from running through a service.

Also tried the cmdmatchv2.exe tool:

Enter a pattern: &ci; C:\WINDOWS\system32\cscript.exe  //E:JScript //Job:AgentHIScript "C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.6306.6100.105\Bin\AVScript??.js" * He
lper.exe Symantec.SSHelper C: * C:\WINDOWS\TEMP\ 0

Enter a commandline: C:\WINDOWS\system32\cscript.exe  //E:JScript //Job:AgentHIScript "C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.6306.6100.105\Bin\AVScript16.js" "4864
0" "Helper.exe" "Symantec.SSHelper" "C:" "22" "C:\WINDOWS\TEMP\" "0"

MATCHED

Still the process gets blocked.

Solved it myself with the following argument:

&ci; C:\WINDOWS\system32\cscript.exe  ////E:JScript ////Job:AgentHIScript "C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.6306.6100.105\Bin\AVScript??.js" *

A little late, but you can use this in case the OS or SEP gets installed on a drive other than C or you use a different version of SEP:

&ci; ?:\WINDOWS\system32\cscript.exe * "?:\Program Files\Symantec\Symantec Endpoint Protection\*\Bin\AVScript*" * 

Get that assigned to the hsecurity_ps (or a custom SEP sandbox) and then if you want, log all file and registry changes made by SEP by wildcarding the "Allow but log modifications" in the correct sections.

Thanks Chuck, its never too late to learn.

I have tried adding the argument to the hsecurity_ps sandbox but I must be doing something wrong.

Should I add it to the Host security programs installed basic option?

Yes, that will put it in the hsecurity_ps.  It could be that the arg is not matching . . . try wildcarding the arg if it is not getting sent to the right sandbox as a test.