Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

strange Scan exception in SEP

  • 1.  strange Scan exception in SEP

    Posted Nov 12, 2013 07:23 AM

    Hi at all

    On a customers terminal server we found a suspicious Endpoint Protection scan exception. We can't delete the exception and it is not defined in the global Scan exception on the SEPM server. Where does the exception come from and could it be that it is a leftover from an active attack?

     

    scan_excp.jpg

    Thanks for any idea.

     

    Regards,



  • 2.  RE: strange Scan exception in SEP

    Trusted Advisor
    Posted Nov 12, 2013 07:29 AM

    Hello,

    This is a User-defined Exception created by the user on the SEP client.

    The Symantec Endpoint Protection would scan the file when there is a Administrator scan (from SEPM) is run on the machine.

    Any exception that you as an Administrator create takes precedence over any exception that a user might define. On client computers, users cannot view the exceptions that you create on SEPM. A user can view only the exceptions that the user creates under User-defined Exception.

    See Managing exceptions for Symantec Endpoint Protection

    See Creating exceptions from log events in Symantec Endpoint Protection Manager

    Reference: http://www.symantec.com/docs/HOWTO55204

    Hope that helps!!



  • 3.  RE: strange Scan exception in SEP

    Posted Nov 12, 2013 07:30 AM

    Its a user defined exception ( see the popup), meaning someone on the server opened the SEP interface, clicked on exception and added this path...

     



  • 4.  RE: strange Scan exception in SEP

    Posted Nov 12, 2013 07:31 AM

    Someone added it locally (user)

    You can stop users from adding exception, see here

    http://www.symantec.com/docs/TECH104432



  • 5.  RE: strange Scan exception in SEP

    Posted Nov 12, 2013 07:44 AM

    It WAS not defined by a user.

    first: why should someone of the user do this

    second: they don't have the knowhow for that

    third: they don't have the right to do this

    ....This could be a security incident?



  • 6.  RE: strange Scan exception in SEP

    Posted Nov 12, 2013 07:53 AM

    Its clearly saying that its a user defined exception.. If your cleints are in mixed mode, they can add exceptions of there own, You have enabled that option, hence this option is enabled otherwise it will be grayed out..

     

     



  • 7.  RE: strange Scan exception in SEP

    Trusted Advisor
    Posted Nov 12, 2013 07:56 AM

    It may have been put in before the policy was enforced within the SEPM. If the locked down policy advised in Brian's link was not enforced then it could have been applied by any user even if not an admin user.

    Wouldn't take someone with little IT knowledge to go into the SEP client have a look around and add the exception if SEP advised that it was blocking something the user was trying to access.

    I'd make sure Brian's link was followed this is only a security risk in current possible policy setup or prior to the new SEP client checking into the SEPM to get this secure policy.



  • 8.  RE: strange Scan exception in SEP

    Posted Nov 12, 2013 08:36 AM

    It says "user-defined exception"

    It's HIGHLY unlikely some piece of malware has the technical know how on the inner workings of SEP to do this.

    Either way, if you go to that machine and open the SEP GUI and go to Change Settings >> Exceptions >> Configure Settings and click Add, is the ability to add exceptions there (not greyed out)?



  • 9.  RE: strange Scan exception in SEP

    Posted Nov 13, 2013 03:26 AM

    everything is grayed out from beginning on and I can't even delete the Exception. The "delete" button is grayed out too.



  • 10.  RE: strange Scan exception in SEP

    Trusted Advisor
    Posted Nov 13, 2013 04:03 AM

    Because it will have been put in before the SEPM policy locked it down.

    If you put the machine into a seperate group within your SEPM and allow manual editing of these exceptions in the group this machine is in then you will be able to remove this exception.



  • 11.  RE: strange Scan exception in SEP

    Posted Nov 13, 2013 11:50 AM

    What is the version of SEP client on this machine?

     

    Exclusions are stored in the registry (HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions), so anyone (user/script) with Write permissions over the registry may potentially be able to create such exclusion, depending on your SEP version/settings (see below).

     

    REMARK - As other people already said, this can be also done via client's GUI (unless it has been disabled by policy, which is apparently the case for you because you said everything is greyed-out).

     

    With SEP 11.0, Tamper protection doesn't protect SEP registry keys (you may however use Application/Device Control module to do so).

    Tamper protection coming with SEP 12.1 does protect registry values, and its default action is set to Block, so it wouldn't be possible for someone well/badly-intentioned to create such exclusion, unless this user had once his client's policy configured to allow him to create user-defined exceptions.

    It can finally be a legacy entry created a while ago, when SEP client wasn't configured in a proper way.

     

    If you have admin rights, you can browse registry and delete this exclusion manually (backup registry, reach path mentioned above then search for "download[1].exe" keyword, and delete the key where it is found). If client version is SEP 12.1, you would need to temporarily disable Tamper protection first.

     

    NOTE - "first: why should someone of the user do this" => never under-estimate what users are capable of  :)