Video Screencast Help

SEP 11 & 12: Tamper Protection alerts

Created: 07 May 2013 • Updated: 16 May 2013 | 3 comments
MIXIT's picture
This issue has been solved. See solution.

Hello all.  I manage several SEP environments for customers, SEP 11 and 12.1 both.  I often run into those pop-up tamper protection alerts.  Two things about these that bother me: Why do they occur, and are they actually doing anything? 

Ok, it's my basic and semi-educated understanding that Tamper Protection in SEP is meant to prevent SEP itself from being tampered with.  I don't know if this means running processes, or files on disk, or both.  However, almost every time in the past 4 or 5 years I've seen an alert, it is always for files completed unrelated to SEP that I can tell.  Since this is common for me I imagine everyone else must see these as well. 

An what's odd, and to my second point, is that often the "Action Taken" is: Blocked.  So let's say in the example below, I just installed Java 7 Update 21 I think it was.  I got 8 tamper alerts.  I think all were Action: Blocked, and yet, Java installed fine. So my question on that is, does SEP tamper protection actually do anything?  I would think if it blocked 8 seperate files, or processes from occuring or what not, the installation of Java would have failed, yet it's running fine. 

Here's a sample from the most recent tamper alert:

SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe
Event Info:  Open Process
ActionTaken:  Blocked
Actor Process:  C:\WINDOWS\INSTALLER\MSIE.TMP (PID 5984)
Time:  Tuesday, May 07, 2013  9:08:07 AM

Something appears to be trying to disable or modify your security software.

What are you esteemed opinions good people :)  

Operating Systems:

Comments 3 CommentsJump to latest comment

.Brian's picture

I see Java trying to "tamper" with SEP quite a bit. It depends on who you talk to but to get to the point, this is more a problem in regards to Java and why it is trying to tamper with SEP.

So basically they occur because some outside process is trying to tamper (shutdown, open/close, modify, delete, etc) with a SEP process. Tamper Protection is doing its job by blocking this attempt.

In my testing, I have found that there is nothing noticeable by keeping tamper protection on and blocking these processes. These other processes, such as Java, continue to run as expected but for whatever reason they occassionally try to stop a SEP service. I've even disabled tamper protection to see what would happen and SEP still functioned as I would expect.

You can run a utility such as Process Monitor to see the tampering going on but ultimately it will be up to the folks at Java to look into and fix their code.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SOLUTION
Mithun Sanghavi's picture

Hello,

You may like to check these Articles:

Tamper alerts regarding a Java (jqs.exe) process on clients since upgrade to 12.1

http://www.symantec.com/docs/TECH165939

About Tamper Protection

http://www.symantec.com/docs/HOWTO55267

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

MIXIT's picture

I'm not a programmer but I get some concepts.  And to me, just using Java, for any purpose, is synonimous with poor security.  Since Java itself is a joke from a security standpoint, any platform that depends on it is subject to vulnerabilities being exploited.  Since SEPM uses a Java-based console, thus implying from a archetecture standpoint that it explicitly trusts Java, probably I can write code to exploit known issues with Java and through that, gain a backdoor (programmatically thta is) access to SEPM data - perhaps the password hash or even temporarily swap my own password into the database, gain access, do whatever, then swap the old one back.  Or maybe add a database table column or field value to create my own account - but have it not display in a list of accounts under Administrators inthe GUI.  I don't know, anyway, point being on this - perhaps tamper protection will block access to SEP from the front door, but Java exploits will probably let a virus or human get in the back door to modify the database if it were written for that purpose.  Or so I imagine.  I read a lot so maybe this is just my imagination running amok. 

Thanks to both of you.  Mithun I will now read those articles, thanks again.