Video Screencast Help

strange Scan exception in SEP

Created: 12 Nov 2013 | 10 comments
Elements_Media's picture

Hi at all

On a customers terminal server we found a suspicious Endpoint Protection scan exception. We can't delete the exception and it is not defined in the global Scan exception on the SEPM server. Where does the exception come from and could it be that it is a leftover from an active attack?

 

scan_excp.jpg

Thanks for any idea.

 

Regards,

Operating Systems:

Comments 10 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

This is a User-defined Exception created by the user on the SEP client.

The Symantec Endpoint Protection would scan the file when there is a Administrator scan (from SEPM) is run on the machine.

Any exception that you as an Administrator create takes precedence over any exception that a user might define. On client computers, users cannot view the exceptions that you create on SEPM. A user can view only the exceptions that the user creates under User-defined Exception.

See Managing exceptions for Symantec Endpoint Protection

See Creating exceptions from log events in Symantec Endpoint Protection Manager

Reference: http://www.symantec.com/docs/HOWTO55204

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Rafeeq's picture

Its a user defined exception ( see the popup), meaning someone on the server opened the SEP interface, clicked on exception and added this path...

 

.Brian's picture

Someone added it locally (user)

You can stop users from adding exception, see here

http://www.symantec.com/docs/TECH104432

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Elements_Media's picture

It WAS not defined by a user.

first: why should someone of the user do this

second: they don't have the knowhow for that

third: they don't have the right to do this

....This could be a security incident?

.Brian's picture

It says "user-defined exception"

It's HIGHLY unlikely some piece of malware has the technical know how on the inner workings of SEP to do this.

Either way, if you go to that machine and open the SEP GUI and go to Change Settings >> Exceptions >> Configure Settings and click Add, is the ability to add exceptions there (not greyed out)?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

Its clearly saying that its a user defined exception.. If your cleints are in mixed mode, they can add exceptions of there own, You have enabled that option, hence this option is enabled otherwise it will be grayed out..

 

 

GeoGeo's picture

It may have been put in before the policy was enforced within the SEPM. If the locked down policy advised in Brian's link was not enforced then it could have been applied by any user even if not an admin user.

Wouldn't take someone with little IT knowledge to go into the SEP client have a look around and add the exception if SEP advised that it was blocking something the user was trying to access.

I'd make sure Brian's link was followed this is only a security risk in current possible policy setup or prior to the new SEP client checking into the SEPM to get this secure policy.

Please review ideas and vote there could be something useful :)

https://www-secure.symantec.com/connect/security/ideas

 

Elements_Media's picture

everything is grayed out from beginning on and I can't even delete the Exception. The "delete" button is grayed out too.

GeoGeo's picture

Because it will have been put in before the SEPM policy locked it down.

If you put the machine into a seperate group within your SEPM and allow manual editing of these exceptions in the group this machine is in then you will be able to remove this exception.

Please review ideas and vote there could be something useful :)

https://www-secure.symantec.com/connect/security/ideas

 

John Q.'s picture

What is the version of SEP client on this machine?

 

Exclusions are stored in the registry (HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions), so anyone (user/script) with Write permissions over the registry may potentially be able to create such exclusion, depending on your SEP version/settings (see below).

 

REMARK - As other people already said, this can be also done via client's GUI (unless it has been disabled by policy, which is apparently the case for you because you said everything is greyed-out).

 

With SEP 11.0, Tamper protection doesn't protect SEP registry keys (you may however use Application/Device Control module to do so).

Tamper protection coming with SEP 12.1 does protect registry values, and its default action is set to Block, so it wouldn't be possible for someone well/badly-intentioned to create such exclusion, unless this user had once his client's policy configured to allow him to create user-defined exceptions.

It can finally be a legacy entry created a while ago, when SEP client wasn't configured in a proper way.

 

If you have admin rights, you can browse registry and delete this exclusion manually (backup registry, reach path mentioned above then search for "download[1].exe" keyword, and delete the key where it is found). If client version is SEP 12.1, you would need to temporarily disable Tamper protection first.

 

NOTE - "first: why should someone of the user do this" => never under-estimate what users are capable of  :)

 

Please remember to mark the proper comment as SOLUTION:
 - to identify threads that do not require further assistance
 - to let other visitors know how to fix such issue