SEP 11 & 12: Tamper Protection alerts
Hello all. I manage several SEP environments for customers, SEP 11 and 12.1 both. I often run into those pop-up tamper protection alerts. Two things about these that bother me: Why do they occur, and are they actually doing anything?
Ok, it's my basic and semi-educated understanding that Tamper Protection in SEP is meant to prevent SEP itself from being tampered with. I don't know if this means running processes, or files on disk, or both. However, almost every time in the past 4 or 5 years I've seen an alert, it is always for files completed unrelated to SEP that I can tell. Since this is common for me I imagine everyone else must see these as well.
An what's odd, and to my second point, is that often the "Action Taken" is: Blocked. So let's say in the example below, I just installed Java 7 Update 21 I think it was. I got 8 tamper alerts. I think all were Action: Blocked, and yet, Java installed fine. So my question on that is, does SEP tamper protection actually do anything? I would think if it blocked 8 seperate files, or processes from occuring or what not, the installation of Java would have failed, yet it's running fine.
Here's a sample from the most recent tamper alert:
SYMANTEC TAMPER PROTECTION ALERT
Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe
Event Info: Open Process
Actor Process: C:\WINDOWS\INSTALLER\MSIE.TMP (PID 5984)
Time: Tuesday, May 07, 2013 9:08:07 AM
Something appears to be trying to disable or modify your security software.
What are you esteemed opinions good people :)