Video Screencast Help
Search Video Help Close Back
to help

tamper exceptions not working. syntax?

Created: 05 Dec 2012 | 4 comments
curtmcgirt's picture
curtmcgirt
0 0 Votes
Login to vote

SEP 12.1.1000.157 RU1.

client is getting a lot of event id 45 in the application log:

SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe

Event Info: Open Process

ActionTaken: Logged

Actor Process: C:\PROGRAM FILES\EMC\HOSTAGENT\HOSTAGENT.EXE (PID 3520)

Time: Wednesday, December 05, 2012 9:42:31 AM

 

Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe

Event Info: Open Process

ActionTaken: Logged

Actor Process: C:\PROGRAM FILES\AVS\BIN\AVAGENT.EXE (PID 2204)

 

i assumed i was supposed to create tamper exceptions for the actor processes. i have done so, annd applied them to this client (and others):

%[PROGRAM FILES]%AVS\BIN\AVAGENT.EXE
%[PROGRAM FILES]%EMC\HOSTAGENT\HOSTAGENT.EXE

(and even for grins, put the explicit path to avagent.exe)
C:\PROGRAM FILES\AVS\BIN\AVAGENT.EXE

yet the event ID 45 events persist. i don't think this tamper protection is actually doing anything other than logging (a lot of) event id 45. am i wrong to expect the tamper exceptions to stop these events?

 

 

 

 

 

 

Discussion Filed Under:
, , , , ,

Comments 4 CommentsJump to latest comment

Brian81's picture
Brian81 Trusted Advisor
tamper exceptions not working. syntax? - Comment:05 Dec 2012 : Link

Check this KB article:

https://www.symantec.com/business/support/index?pa...

SEP Knowledge Base

Endpoint SWAT

+2
Login to vote
curtmcgirt's picture
curtmcgirt
tamper exceptions not working. syntax? - Comment:05 Dec 2012 : Link

thanks Brian. the behavior has persisted through a few reboots of both the client and the sep management server. from your link i checked the http://www.symantec.com/business/support/index?page=content&id=TECH171057 link. i'm not sure if we've installed "maintenance patch 1" yet, i'm not the primary symantec guy. can i tell from my help/about version number:

 

SEP 12.1.1000.157 RU1

 

0
Login to vote
Brian81's picture
Brian81 Trusted Advisor
tamper exceptions not working. syntax? - Comment:05 Dec 2012 : Link

You're currently on RU1.

You can go straight to RU2 which just came out a few weeks ago.

SEP Knowledge Base

Endpoint SWAT

0
Login to vote
Cameron_W's picture
Cameron_W Symantec Employee Accredited
tamper exceptions not working. syntax? - Comment:05 Dec 2012 : Link

There was a fix for tamper protection expections not being honored in the RU1 MP1 release, you are currently on the release previous to this. The latest RU2 release will include this fix and would recommend upgrading to this build. Below is the fix ID for this in RU1 MP1.

Tamper Protection exceptions are not honored
Fix ID: 2580578
Symptom: Tamper Protection exceptions are not honored. An excluded process will trigger tamper protection.
Solution: The SEP client was sending a delta of the exclusion list to the BASH component. The client was modified to send the complete list to resolve this issue.

If I was able to help resolve your issue please mark my post as solution.

+2
Login to vote