Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Tamper Protection alert for Adobe Updates

Created: 31 Aug 2012 | 7 comments

We have upgraded to SEP 12.1 RU1, and it seems that the file ADOBEARM.EXE is now causing lots of grief with SEP 12 (we were running SEP 11, and it was fine then). We have added a tamper protection exception for %[PROGRAM_FILES_COMMON]%\ADOBE\ARM\1.0\ADOBEARM.EXE, but alerts still pop up. Does Symantec eventually add safe files to definition updates so that this will stop? I'm not sure what we're missing to stop this from happening after having added the tamper exception.

Comments 7 CommentsJump to latest comment

Cameron_W's picture

In order to make a tamper protection exception I would recommend following steps 1-13 under section How to create exclusions and exceptions for: Tamper Protection in the document below.

http://www.symantec.com/docs/TECH194821
 

If I was able to help resolve your issue please mark my post as solution.

Srikanth_Subra's picture

Hi,

Please find the below article

http://www.symantec.com/business/support/index?pag...

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

pete_4u2002's picture

let know if this helps

 

What should I do when I get a Tamper Protection Alert?
http://www.symantec.com/business/support/index?page=content&id=TECH97931

How to Create Exceptions or Exclusions for Tamper Protection Alerts that have already been logged
http://www.symantec.com/business/support/index?page=content&id=TECH92553

Creating Tamper Protectin Exception
http://symantec.com/docs/HOWTO55213

Anton Sarukhanov's picture

Hello,

Has anyone determined why AdobeARM.exe actually causes this? I understand that setting an exception will cause SEP to overlook this file, but that becomes a hassle with large numbers of client machines (and possibly new files causing this in the future), and wouldn't that weaken the security of the system in question by allowing that file to be used maliciously and go undetected?

Perhaps my questions would be more appropriate in an Adobe forum but maybe someone here has investigated it.

pete_4u2002's picture

can you help with answer what is the exact message? is it related to memory or access to registry of SEP?

screen shot might help.

 

Anton Sarukhanov's picture

No screenshot, unfortunately. I do have the tamper protection log, which I'm attaching here. All the entires are identical, except for the Target and Target Process parameters.

Action Taken: Logged

Object Type: Process

Event: Open

Actor: C:\PROGRAM FILES\COMMON FILES\ADOBE\ARM\1.0\ADOBEARM.EXE

Targets:

  • C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe
  • C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\Smc.exe
  • C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\SavUI.exe

Target Processes:

  • C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe
  • C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\Smc.exe
  • C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\SavUI.exe

I've also seen reports from my coworkers of this happening in connection with:

  • Updating Adobe Flash (v 11.5.502.135)
  • Uninstalling Java (v 6u38)

Unfortunately I don't have any more details about those two instances.

AttachmentSize
symlog_tamper.txt 2.85 KB
FbacchinZF's picture

I had the same issue and after inspecting the files (virustotal.com) I added a TAMPER exception for ADOBEARM.EXE process.