From application event log I found a large number of the following
Event Type: Error
Event Source: Symantec AntiVirus
Event Category: None
Event ID: 45
Date: 08-02-11
Time: 03:15:46 P
User: NT AUTHORITY\SYSTEM
Computer: myPC2
Description:
SYMANTEC TAMPER PROTECTION ALERT
Target: C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
Event Info: Set Information Process
Action Taken: Blocked
Actor Process: c:\util\microsoft\VirtualServer\vmh.exe (PID 220)
Time: February 11, 2008 03:15:46
Event Type: Error
Event Source: Symantec AntiVirus
Event Category: None
Event ID: 45
Date: 08-02-11
Time: 03:15:46 P
User: NT AUTHORITY\SYSTEM
Computer: myPC2
Description:
SYMANTEC TAMPER PROTECTION ALERT
Target: C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
Event Info: Set Information Process
Action Taken: Blocked
Actor Process: c:\util\microsoft\VirtualServer\vmh.exe (PID 220)
Time: February 11, 2008 03:15:46
Event Type: Error
Event Source: Symantec AntiVirus
Event Category: None
Event ID: 45
Date: 08-02-11
Time: 03:15:46 P
User: NT AUTHORITY\SYSTEM
Computer: myPC2
Description:
SYMANTEC TAMPER PROTECTION ALERT
Target: C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
Event Info: Set Information Process
Action Taken: Blocked
Actor Process: c:\util\microsoft\VirtualServer\vmh.exe (PID 220)
Time: February 11, 2008 03:15:46
Event Type: Error
Event Source: Symantec AntiVirus
Event Category: None
Event ID: 45
Date: 08-02-11
Time: 03:15:46 P
User: NT AUTHORITY\SYSTEM
Computer: myPC2
Description:
SYMANTEC TAMPER PROTECTION ALERT
Target: c:\Program Files\Symantec\Client Security\Symantec Client
Firewall\ISSVC.exe
Event Info: Set Information Process
Action Taken: Blocked
Actor Process: c:\util\microsoft\VirtualServer\vmh.exe (PID 220)
Time: February 11, 2008 03:15:46
...... many more entries on different component of Symc. Av
I tried getting support on this issue from Microsoft. However John of the private newsgroup fro virtual server said we need to get Symantec support team involved.
Thank you for your time and effort.
Attached below is the reply I got from Microsoft:
"John Huang[MSFT]" <
v-johnhu@microsoft.com> wrote in message
news:ZoWFk7hbIHA.4720@TK2MSFTNGHUB02.phx.gbl...
> Hi,
>
> Thank you for your reply.
>
> These events obviously indicates that the Symantec Tamper Protection block
> the VMH.exe process. This doesn't mean the VMH.exe tries to access the
> Symantec components. I have confirmed with our products group and I am
> informed that the VMH.exe wouldn't change the Symantec's components.
>
> Based on my research, this is related to why the Symantec Tamper Protection
> tries to block the VMH.exe and how it works. So we need to involve the
> Symantec in this post. In the Symantec technical forum, I notice a similar
> post:
>
> SYMANTEC TAMPER PROTECTION ALERT
>
https://forums.symantec.com/syment/board/message?board.id=sav10x&thread.id=2> 32
>
> Also for more information about these event for Symantec Anti Virus, please
> view the URL below:
>
>
http://www.eventid.net/display.asp?eventid=45&eventno=8599&source=Symantec%2> 0AntiVirus&phase=1
>
> Thank you for your understanding.
>
> Best regards,
>
> John Huang
>
> Microsoft Online Partner Support
> Get Secure! -
www.microsoft.com/security> ======================================================
> PLEASE NOTE:
> The newsgroup SECURE CODE and PASSWORD changes have been delayed.
>
> Please complete a re-registration process by entering the secure code
> mpng2008 when prompted at the Newsgroup entry page.Once you have entered
> the secure code mpng2008, you will beable to update your profile and access
> the partner newsgroups through the web or your NNTP account.
>
> * * * OUR APOLOGIES FOR ANY INCONVENIENCE * * *
> ======================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from this issue.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
> ======================================================
>
> From: "tsix" <
privatenews.microsoft.com@msnews.Nomail.com>
> Subject: Re: how to secure vmh?
> Date: Tue, 12 Feb 2008 18:17:48 -0700
> Newsgroups: microsoft.private.directaccess.virtualserver
>
> pardon me, the Symc Av is not blocking vmh activity with regard to changing
> settings on the Symantec components. VMH has no business changing settings
> or any change Symantec AV, period
>
> Administrative tasks of the VS were allowed and there were no problem in
> that area
>
> how I do come to conclude the Symc Av is being tempered with?
From application event log I got a large number of the following
Event Type: Error
Event Source: Symantec AntiVirus
Event Category: None
Event ID: 45
Date: 08-02-11
Time: 03:15:46 P
User: NT AUTHORITY\SYSTEM
Computer: myPC2
Description:
SYMANTEC TAMPER PROTECTION ALERT
Target: C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
Event Info: Set Information Process
Action Taken: Blocked
Actor Process: c:\util\microsoft\VirtualServer\vmh.exe (PID 220)
Time: February 11, 2008 03:15:46
Event Type: Error
Event Source: Symantec AntiVirus
Event Category: None
Event ID: 45
Date: 08-02-11
Time: 03:15:46 P
User: NT AUTHORITY\SYSTEM
Computer: myPC2
Description:
SYMANTEC TAMPER PROTECTION ALERT
Target: C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
Event Info: Set Information Process
Action Taken: Blocked
Actor Process: c:\util\microsoft\VirtualServer\vmh.exe (PID 220)
Time: February 11, 2008 03:15:46
Event Type: Error
Event Source: Symantec AntiVirus
Event Category: None
Event ID: 45
Date: 08-02-11
Time: 03:15:46 P
User: NT AUTHORITY\SYSTEM
Computer: myPC2
Description:
SYMANTEC TAMPER PROTECTION ALERT
Target: C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
Event Info: Set Information Process
Action Taken: Blocked
Actor Process: c:\util\microsoft\VirtualServer\vmh.exe (PID 220)
Time: February 11, 2008 03:15:46
Event Type: Error
Event Source: Symantec AntiVirus
Event Category: None
Event ID: 45
Date: 08-02-11
Time: 03:15:46 P
User: NT AUTHORITY\SYSTEM
Computer: myPC2
Description:
SYMANTEC TAMPER PROTECTION ALERT
Target: c:\Program Files\Symantec\Client Security\Symantec Client
Firewall\ISSVC.exe
Event Info: Set Information Process
Action Taken: Blocked
Actor Process: c:\util\microsoft\VirtualServer\vmh.exe (PID 220)
Time: February 11, 2008 03:15:46
...... many more entries on different component of Symc. Av
they all are logged not because of network access but apparent attempted
settings of Symc component and the temper proof on lock stopped them.
Just the large numbe of log entries like this is a concern in terms of
security and performance.
"John Huang[MSFT]" <
v-johnhu@microsoft.com> wrote in message
news:SgsmZVJbIHA.1500@TK2MSFTNGHUB02.phx.gbl...
> Hi,
>
> Thank you for your reply.
>
> I know you want to know why the Virtual Machine will try to change
> settings
> for Symantec Client security. May I know how do you notice this scenario?
>
> The Virtual Machine Helper service (Vmh.exe) is a component of Virtual
> Server 2005 that allows you to run a virtual machine in the context of a
> specified user account. The virtual machine uses this account for
> accessing
> network resources. Scripts also run under this account. If you do not
> specify a user account, the virtual machine runs under the account of the
> user who started the virtual machine.
>
> I think this service won't be misused to attack the server security . This
> scenario might be happen when the VM tried to access the network resources
> and the Symantec AV is monitoring the network resources at the same time.
> I
> know you have added some file extensions in the Symantec AV excluded list.
> Given the current situation, please also add the following two process
> into
> the excluded list:
>
> Vmh.exe
> Vssrvc.exe
>
> Also I would like to suggest to contact the Symantec to see if there is
> any
> information for this scenario. As based on my experience, the VMH.exe
> won't
> affect the server security.
>
> Have a nice day.
>
> Best regards,
>
> John Huang
>
> Microsoft Online Partner Support
> Get Secure! -
www.microsoft.com/security> ======================================================
> PLEASE NOTE:
> The newsgroup SECURE CODE and PASSWORD changes have been delayed.
>
> Please complete a re-registration process by entering the secure code
> mpng2008 when prompted at the Newsgroup entry page.Once you have entered
> the secure code mpng2008, you will beable to update your profile and
> access
> the partner newsgroups through the web or your NNTP account.
>
> * * * OUR APOLOGIES FOR ANY INCONVENIENCE * * *
> ======================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from this issue.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> ======================================================
>
> From: "tsix" <
privatenews.microsoft.com@msnews.Nomail.com>
> Subject: Re: how to secure vmh?
> Date: Sun, 10 Feb 2008 21:08:38 -0700
> Newsgroups: microsoft.private.directaccess.virtualserver
>
> I have secure VS though I have not gone all out to secure the IIS, i.e. to
> run IIS with worker thread.... under non system ID
>
> Prior to this incident I already had vhd, vmc vfd and iso excluded from
> scanning.
> I will try adding vs vud just in case it may improve performance, however
> I
> still don't see why vmh try to change setting for various component of
> Symantec Client security.
>
>
>
>
>
>
>