Endpoint Protection

in SEP Manager (11.0.4202.75), I set a Centralized Exception in the policy for the group I am apart of. Imagine the Exception Item name is PROGRAM.EXE. So in the policy, it says

Exception Item - PROGRAM.EXE
Exception Type - TruScan Proactive Threat Scan Process
Action - Log Only

From my client, I've updated my policy, and waited 2 hours. From the client, I can see under the Proactive Threat Logs, that it obeyed this excecption, and logged some action that this EXE has taken.

However every so often, I get the SEP Notification, that the PROGRAM.EXE has been blocked !



SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\Program Files\Common Files\Symantec Shared\COH\COH32.exe
Event Info:  Allocation Memory
ActionTaken:  Blocked
Actor Process:  C:\WINDOWS\System32\PROGRAM.exe (PID 3152)
Time:  Thursday, September 03, 2009  1:31:19 PM

I need to allow this program to do anything and never be blocked, and I don't want to add it manually on every client.

What am I missing?

Sounds like all you need to do is setup a Tamper Protection exclusion for the program now. The second half of this document will show you how to accomplish this:

Title: 'How to configure Tamper Protection in Symantec Endpoint Protection 11.0'
Document ID: 2007092616550248
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007092616550248?Open&seg=ent

Hope that helps!

Try this

Creating an Exception:

Log into the Symantec Endpoint Protection Manager and click Policies.

Under View Policies click Centralized Exceptions.

If you have a Centralized Exceptions policy, edit the policy. Otherwise, follow step 4 to create it.

Under Tasks click Add a Centralized Exception policy... This will create and open a new Centralized Exceptions Policy.

In the left pane, click Centralized Exceptions.

Click the Add button to open a drop-down menu. Move the cursor over Tamper Protection Exception and select it.

Enter the file name: PROGRAM.exe, in the File field. If you enter the Prefix variable you will need to also enter the full path to the file in the File field.

Save the policy by clicking OK and make sure it is assigned to the appropriate client groups.

There are actually three different types of scan exceptions you can define through Centralized Exceptions:  Security Risks (AV scans and auto-protect), Proactive Threat Protection exceptions, and Tamper Protection exceptions.  The exceptions are defined in a central place (this policy), but they only affect the specified component of the SEP client.

In your case you'll need to add a Tamper Protection exception.  There is a Knowledge Base article that describes how to do this fairly easily, since you have already logged the item:

service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/a24099cfdffa67bd88257567007197cf

Hope this helps!
:-)

Yeah, in the logs screen, click add file to centralized exceptions policy.........