Endpoint Protection

We have upgraded to SEP 12.1 RU1, and it seems that the file ADOBEARM.EXE is now causing lots of grief with SEP 12 (we were running SEP 11, and it was fine then). We have added a tamper protection exception for %[PROGRAM_FILES_COMMON]%\ADOBE\ARM\1.0\ADOBEARM.EXE, but alerts still pop up. Does Symantec eventually add safe files to definition updates so that this will stop? I'm not sure what we're missing to stop this from happening after having added the tamper exception.

In order to make a tamper protection exception I would recommend following steps 1-13 under section How to create exclusions and exceptions for: Tamper Protection in the document below.

http://www.symantec.com/docs/TECH194821
 

Hi,

Please find the below article

http://www.symantec.com/business/support/index?page=content&id=TECH92553

let know if this helps

What should I do when I get a Tamper Protection Alert?
http://www.symantec.com/business/support/index?page=content&id=TECH97931

How to Create Exceptions or Exclusions for Tamper Protection Alerts that have already been logged
http://www.symantec.com/business/support/index?page=content&id=TECH92553

Creating Tamper Protectin Exception
http://symantec.com/docs/HOWTO55213

Hello,

Has anyone determined why AdobeARM.exe actually causes this? I understand that setting an exception will cause SEP to overlook this file, but that becomes a hassle with large numbers of client machines (and possibly new files causing this in the future), and wouldn't that weaken the security of the system in question by allowing that file to be used maliciously and go undetected?

Perhaps my questions would be more appropriate in an Adobe forum but maybe someone here has investigated it.

can you help with answer what is the exact message? is it related to memory or access to registry of SEP?

screen shot might help.

No screenshot, unfortunately. I do have the tamper protection log, which I'm attaching here. All the entires are identical, except for the Target and Target Process parameters.

Action Taken: Logged

Object Type: Process

Event: Open

Actor: C:\PROGRAM FILES\COMMON FILES\ADOBE\ARM\1.0\ADOBEARM.EXE

Targets:

• C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe
• C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\Smc.exe
• C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\SavUI.exe

Target Processes:

• C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe
• C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\Smc.exe
• C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\SavUI.exe

I've also seen reports from my coworkers of this happening in connection with:

• Updating Adobe Flash (v 11.5.502.135)
• Uninstalling Java (v 6u38)

Unfortunately I don't have any more details about those two instances.

Attachment(s)

symlog_tamper.txt   2 KB 1 version

I had the same issue and after inspecting the files (virustotal.com) I added a TAMPER exception for ADOBEARM.EXE process.