Video Screencast Help

Symantec Tamper Protection alert message

Created: 13 Nov 2011 | 9 comments

Dear Member,

This morning i've got one alert message on my notebook :

Symantec Tamper Protection Alert

Target C:\Program Files\Symantec\LiveUpdate\LuCallbackproxy.....

Event Info:...

Action Taken:logged

.....

.....

 

What does it mean?

 

Regards

WxB

Comments 9 CommentsJump to latest comment

pete_4u2002's picture

the image is not clear, however the exe process under system32 is trying to stop/modify luallcallbackproxy.exe, which is not normal.

Any process which tries to stop and modify symantec related process the tamper protection alert are observed.

Wandi Budiman's picture

Does it mean if this process (luallcallbackproxy.exe) make a risk for my NB?

Regards
Wandi Arian Budiman
Phone : +6221-30402194 (Internal: x22194)

pete_4u2002's picture

no, lucallbackproxy is symantec related exe. The other exe in system32 for somereason is try to change the lucallbackproxy. Is the exe under system32 abnormal file? if not set tamper protection exception

Mithun Sanghavi's picture

Hello,

Symantec Blocks / Logs the Application when it find the Application to be suspicious.

C:\Windows\system32\taskhost.exe is a Suspicious file which is trying to stop the Symantec LuCallbackProxy.exe

Could you please Submit the Suspicious file to the Symantec Security Response Team on:

https://submit.symantec.com/websubmit/essential.cgi

OR / AND

http://www.threatexpert.com/submit.aspx

You can Later on create a Tamper Protection Exception as well for the same.

 

How to Create Exceptions or Exclusions for Tamper Protection Alerts that have already been logged

 

Hope that helps!!

 

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Lisa123's picture

Sorry if this is in the wrong place but Ive had this notification today after downloading Advanced System Care and need to know if its important.

 

 

 

SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
Event Info:  Set Information Process
Action Taken:  Logged
Actor Process:  C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe (PID 7368)
Time:  17 November 2011  17:46:08

 

Many thanks

Marius Salay's picture

Regarding to http://www.systemlookup.com/search.php?type=filename&client=malwaresearch-ff&search=taskhost.exe, there is a malware which uses a file with the same name, but at another location in filesystem. The file in %system% should be the right one - so that must be a false positive.

Contact support about this.

 

@Lisa123: ACSService.exe is from china and a known spy/info stealing application! Have a look at this: http://www.spywareinfoforum.com/index.php?showtopic=126267

Your Tamper Protection was right. Get rid of this software, it is not to be trusted!

 

Regards,

Marius

KHCer's picture

SYMANTEC TAMPER PROTECTION ALERT

 

Target:  C:\Program Files\Common Files\Symantec Shared\ccApp.exe

Event Info:  Set Information Process

Action Taken:  Logged

Actor Process:  C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe (PID 884)

Time:  Wednesday, February 29, 2012  9:53:01 AM

This is what pops up almost everyday when using our email. What do I do to keep this from popping up!

Thanks

Vera

Thomas K's picture

@KHCer,

 

It looks like Advanced SystemCare is attempting to tamper with Symantec. From their product page, it looks like the product has some security features. Running two security products on the same system can cause problems, and is not recommended.

Advanced SystemCare

Defends PC security with extra protection Enhanced

Detects and analyzes Windows security environment. Scans and removes spyware and adware using up-to-date definition files in order to prevent spyware, hackers and hijackers from installing malicious programs on your computer. Erases and updates your PC's activity histories.
NRaj's picture

As Thomas has mentioned, it is not advisable to have 2 security products on the same machine. And here ASC is trying to modify SEP. If ASC is important, you may have to create exclusions for tamper protection.

The below link might help.

http://www.symantec.com/docs/TECH92553