Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

SEP - Tamper Protection blocking centralized exceptions

Updated: 21 May 2010 | 4 comments
Kbalz's picture
Kbalz
0 0 Votes
Login to vote
This issue has been solved. See solution.

in SEP Manager (11.0.4202.75), I set a Centralized Exception in the policy for the group I am apart of. Imagine the Exception Item name is PROGRAM.EXE. So in the policy, it says

Exception Item - PROGRAM.EXE
Exception Type - TruScan Proactive Threat Scan Process
Action - Log Only

From my client, I've updated my policy, and waited 2 hours. From the client, I can see under the Proactive Threat Logs, that it obeyed this excecption, and logged some action that this EXE has taken.

However every so often, I get the SEP Notification, that the PROGRAM.EXE has been blocked !

SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\Program Files\Common Files\Symantec Shared\COH\COH32.exe
Event Info:  Allocation Memory
ActionTaken:  Blocked
Actor Process:  C:\WINDOWS\System32\PROGRAM.exe (PID 3152)
Time:  Thursday, September 03, 2009  1:31:19 PM

I need to allow this program to do anything and never be blocked, and I don't want to add it manually on every client.

What am I missing?

discussion Filed Under:
, , ,

Comments

David-Z's picture
03
Sep
2009
0 Votes 0
Login to vote
David-Z
Symantec Employee
Accredited
Certified

Sounds like all you need to

Sounds like all you need to do is setup a Tamper Protection exclusion for the program now. The second half of this document will show you how to accomplish this:

Title: 'How to configure Tamper Protection in Symantec Endpoint Protection 11.0'
Document ID: 2007092616550248
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007092616550248?Open&seg=ent

Hope that helps!

SOLUTION
kavin's picture
03
Sep
2009
1 Vote +1
Login to vote
kavin

Try this Creating an

Try this

Creating an Exception:

Log into the Symantec Endpoint Protection Manager and click Policies.

Under View Policies click Centralized Exceptions.

If you have a Centralized Exceptions policy, edit the policy. Otherwise, follow step 4 to create it.

Under Tasks click Add a Centralized Exception policy... This will create and open a new Centralized Exceptions Policy.

In the left pane, click Centralized Exceptions.

Click the Add button to open a drop-down menu. Move the cursor over Tamper Protection Exception and select it.

Enter the file name: PROGRAM.exe, in the File field. If you enter the Prefix variable you will need to also enter the full path to the file in the File field.

Save the policy by clicking OK and make sure it is assigned to the appropriate client groups.

Sherri Nichols's picture
03
Sep
2009
1 Vote +1
Login to vote
Sherri Nichols

There are actually three

There are actually three different types of scan exceptions you can define through Centralized Exceptions:  Security Risks (AV scans and auto-protect), Proactive Threat Protection exceptions, and Tamper Protection exceptions.  The exceptions are defined in a central place (this policy), but they only affect the specified component of the SEP client.

In your case you'll need to add a Tamper Protection exception.  There is a Knowledge Base article that describes how to do this fairly easily, since you have already logged the item:

service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/a24099cfdffa67bd88257567007197cf

Hope this helps!
:-)

ShadowsPapa's picture
03
Sep
2009
1 Vote -1
Login to vote
ShadowsPapa

Yeah, in the logs screen,

Yeah, in the logs screen, click add file to centralized exceptions policy.........

My sites - http://theamcpages.com & http://antique-engines.com
Shadow: Toy:

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
258,797