Video Screencast Help

tamper exceptions not working. syntax?

Created: 05 Dec 2012 | 4 comments

SEP 12.1.1000.157 RU1.

client is getting a lot of event id 45 in the application log:

SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe

Event Info: Open Process

ActionTaken: Logged

Actor Process: C:\PROGRAM FILES\EMC\HOSTAGENT\HOSTAGENT.EXE (PID 3520)

Time: Wednesday, December 05, 2012 9:42:31 AM

Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe

Event Info: Open Process

ActionTaken: Logged

Actor Process: C:\PROGRAM FILES\AVS\BIN\AVAGENT.EXE (PID 2204)

i assumed i was supposed to create tamper exceptions for the actor processes. i have done so, annd applied them to this client (and others):

%[PROGRAM FILES]%AVS\BIN\AVAGENT.EXE
%[PROGRAM FILES]%EMC\HOSTAGENT\HOSTAGENT.EXE

(and even for grins, put the explicit path to avagent.exe)
C:\PROGRAM FILES\AVS\BIN\AVAGENT.EXE

yet the event ID 45 events persist. i don't think this tamper protection is actually doing anything other than logging (a lot of) event id 45. am i wrong to expect the tamper exceptions to stop these events?

Comments 4 CommentsJump to latest comment

ᗺrian's picture

Check this KB article:

https://www.symantec.com/business/support/index?pa...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

curtmcgirt's picture

thanks Brian. the behavior has persisted through a few reboots of both the client and the sep management server. from your link i checked the http://www.symantec.com/business/support/index?page=content&id=TECH171057 link. i'm not sure if we've installed "maintenance patch 1" yet, i'm not the primary symantec guy. can i tell from my help/about version number:

SEP 12.1.1000.157 RU1

ᗺrian's picture

You're currently on RU1.

You can go straight to RU2 which just came out a few weeks ago.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Cameron_W's picture

There was a fix for tamper protection expections not being honored in the RU1 MP1 release, you are currently on the release previous to this. The latest RU2 release will include this fix and would recommend upgrading to this build. Below is the fix ID for this in RU1 MP1.

Tamper Protection exceptions are not honored
Fix ID: 2580578
Symptom: Tamper Protection exceptions are not honored. An excluded process will trigger tamper protection.
Solution: The SEP client was sending a delta of the exclusion list to the BASH component. The client was modified to send the complete list to resolve this issue.

If I was able to help resolve your issue please mark my post as solution.