Endpoint Protection

 View Only

  • 1.  Symantec antivirus; tamper protection blocking ERSvc (error reporting service)

    Posted Dec 19, 2013 01:49 PM

    Hi, this is my first post; hope this is in the right place. So a client of ours has been getting a MS Visual C++ Runtime Library pop-up error for the last few days. Looked into it a bit and see in the event logs a string of entries that are always coincedently happening around the same time as the runtime error. Genrally the runtime error happens at 4 hour intervals at around 7am, 11am, 3pm, 7pm, followed by entries in the application log from symantec regarding tamper protection blocking svchost.exe PID1484 (that PID corresponds to ERSvc, error reporting service) from GFValidate.exe. Here's the entry:

     
    SYMANTEC TAMPER PROTECTION ALERT
     
    Target:  C:\Program Files\Symantec\Symantec Protection Center\bin\GFValidate.exe
    Event Info:  Suspend Thread
    Action Taken:  Blocked
    Actor Process:  C:\WINDOWS\System32\svchost.exe (PID 1484)
    Time:  Thursday, December 19, 2013  11:19:21 AM
     
     
    That entry repeats 3-4 times, followed by this:
     
    Faulting application GFValidate.exe, version 12.0.122.176, faulting module msvcr80.dll, version 8.0.50727.3053, fault address 0x000046b4.
     
    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
     
     
    Not sure why ERSvc is being blocked at those times, and not at other times, since it's a valid Windows service and is constantly running. Any suggestions would be greatly appreciated as to whether this is a legit threat that's being detected, or a false alarm, and if so whether its possible/safe to allow this as an exception within tamper protection. Let me know if more info is needed.
     
    Some basics: They have Symantec Protection Center, and Symantec Antivirus 10.1.5.5000, and Windows Server 2k3. 
     
    Thanks!

     



  • 2.  RE: Symantec antivirus; tamper protection blocking ERSvc (error reporting service)
    Best Answer

    Posted Dec 19, 2013 01:58 PM

    For whatever reason that svchost service is trying to "tamper" with a SAV process. You can't add tamper protection exceptions in SAV like you can for SEP. Have you tried disabling tamper protection for this machine?

    Unlock your server group in the Symantec System Centre
    Right click your Primary Parent Server
    Navigate to All Tasks > Symantec AntiVirus > Client Tamper Protection Options.
    You can then de-select the options as required to disable this feature.

    BTW, SAV is end of life, you may want to consider upgrading soon.

     



  • 3.  RE: Symantec antivirus; tamper protection blocking ERSvc (error reporting service)

    Posted Dec 19, 2013 02:01 PM

    Try disabling tamper protection 

    http://www.symantec.com/business/support/index?page=content&id=HOWTO5776



  • 4.  RE: Symantec antivirus; tamper protection blocking ERSvc (error reporting service)

    Posted Dec 19, 2013 02:18 PM

    Thanks for the quick responses. It's a Pentium 4 comptuer running Server 2k3, so it's not just the av that's outdated... and believe me, we've been hinting at it for years. Actually they may be forced to upgrade soon since it's a doctor's office and XP/2k3 may not be hipaa compliant as of April. But that's a whole other issue.

    So it's safe to just disable tamper protection completely? I'm assuming tamper protection is there to help more than be an annoyance (even if according to the tamper protection log this is the only thing that has shown up in the last 5 years). 



  • 5.  RE: Symantec antivirus; tamper protection blocking ERSvc (error reporting service)

    Posted Dec 19, 2013 02:19 PM

    Since there is no ability to add tamper protection exceptions in SAV (there is this ability in SEP), you'll likely need to disable.

    Tamper protection protects against unknown/malicious processes from stopping SAV processes.



  • 6.  RE: Symantec antivirus; tamper protection blocking ERSvc (error reporting service)

    Posted Dec 19, 2013 02:27 PM

    Ok, so as long as they have SAV it's either live with the error messages or disable tamper protection--got it. Or upgrade to SEP. Thanks for al lthe help!



  • 7.  RE: Symantec antivirus; tamper protection blocking ERSvc (error reporting service)

    Posted Dec 19, 2013 02:28 PM

    That's the only options for now...unless you get right to SEP wink



  • 8.  RE: Symantec antivirus; tamper protection blocking ERSvc (error reporting service)

    Posted Dec 19, 2013 03:12 PM

    What does being end of life entail exactly? They still receive virus definition updates. Just curious.



  • 9.  RE: Symantec antivirus; tamper protection blocking ERSvc (error reporting service)

    Posted Dec 19, 2013 03:17 PM

    Check this out

    End of Life announcement for Symantec AntiVirus Corporate Edition and Symantec Client Security

    Article:TECH178551  |  Created: 2012-01-09  |  Updated: 2013-06-21  |  Article URL http://www.symantec.com/docs/TECH178551