Video Screencast Help

Tamper Protection Alerts are getting out of hand

Created: 16 Nov 2011 | 14 comments
Chuck Lavin's picture

Hi --

I have a Windows XP Pro SP3 PC running the SEP client v 12.1.671.4971. This PC spits out daily SEP Tamper Protection Alerts, sometimes several at a time, referencing just about any program that's run on the PC. It's even spat out alerts for the SmcGUI app itself.

We've checked the computer for viruses and malware using a variety of different programs. (SEP itself certifies the PC as being clean.) We've updated the SEP client -- I believe v 12.1.671.4971 is the update. If anything, the tamper protection alerts are increasing in frequency.

Apart from the major annoyance, we have a "boy who cried 'wolf'" situation going on. The user simply dismisses the alert window without bothering to look at it anymore.

How do I correct this problem?

Thanks

Comments 14 CommentsJump to latest comment

anup_Kothurkar's picture

Can you please post the screen shot of the Tamper Protection Alert.

Chuck Lavin's picture

The latest one is attached. Of the 3 warnings queued up in that dialog, 2 reference Internet Explorer and 1 references the Logitech mouse software.

Past warnings have referenced Microsoft Word, Excel, Outlook, Expression Web, and Publisher; CorelDRAW and Corel PhotoPAINT; several components of SEP itself; Firefox; Century's TinyTERM; FileZilla; Quickbooks; Microsoft ActiveSync; PHPEdit; TextPad -- just about every program that's used with any regularity on this PC.

 

Thanks

CL
 

sep alert.JPG
Chuck Lavin's picture

Here we go again ...

 

This time it piled up 6 notifications:

 

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
Event Info:  Open Process
Action Taken:  Logged
Actor Process:  D:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE11\OUTLOOK.EXE (PID 4332)
Time:  Monday, November 21, 2011  8:28:54 AM

 

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\SavUI.exe
Event Info:  Open Process
Action Taken:  Logged
Actor Process:  E:\PROGRAM FILES\LOGITECH\SETPOINTP\SETPOINT.EXE (PID 3140)
Time:  Monday, November 21, 2011  8:28:56 AM

 

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
Event Info:  Open Process
Action Taken:  Logged
Actor Process:  D:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE11\OUTLOOK.EXE (PID 4332)
Time:  Monday, November 21, 2011  8:28:54 AM

 

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
Event Info:  Open Process
Action Taken:  Logged
Actor Process:  C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE (PID 6340)
Time:  Monday, November 21, 2011  8:29:07 AM

 

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
Event Info:  Open Process
Action Taken:  Logged
Actor Process:  C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE (PID 6340)
Time:  Monday, November 21, 2011  8:29:07 AM

 

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\SavUI.exe
Event Info:  Open Process
Action Taken:  Logged
Actor Process:  D:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE11\OUTLOOK.EXE (PID 4332)
Time:  Monday, November 21, 2011  8:29:15 AM

sep alert 2.jpg
anup_Kothurkar's picture

Can you try creating tamper protection exception to these files on Symantec endpoint protection manager.

Chuck Lavin's picture

What do you want me to do -- create daily exceptions for every program this PC runs? Today's alerts included warnings on Firefox, Photoshop and Adobe Reader in addition to other "usual suspects."

A security program that repeatedly alerts day in and day out for no immediately obvious reason is just as useless as no security program at all. Obviously there's something going on with this PC -- I don't have complaints of this problem on other PCs in this office. But I've run out of ideas here. I've extensively tested this PC for viruses, Trojans, rootkits and similar nasties using a whole fleet of programs. SEP was reinstalled on this PC. Then SEP was upgraded on this PC. According to everything we've checked, SEP is the only security program running on this PC -- and this includes the Windows Firewall, which shows that it is off per server policy. SEP shows everything green and up to date (see attached screencap). How do I troubleshoot this from this point (and fix this)?

Thanks
CL
 

SEP screencap 3.JPG
Chuck Lavin's picture

Now the PC is throwing BSODs -- two this week, seemingly at random. When the computer recovers, it blames the antivirus program for the crash. See image attached.

 

This time, when Windows opened IE to display the crash analysis page, a SEP Tamper Protection Alert screen popped up citing IE.

ms error rpt.JPG
Chuck Lavin's picture

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.101209-1647
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Wed Nov 23 08:30:26.286 2011 (UTC - 5:00)
System Uptime: 1 days 23:40:13.187
Loading Kernel Symbols
...............................................................
................................................................
......................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd500c).  Type ".hh dbgerr001" for details
Loading unloaded module list
...............................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {e1407000, 0, 8a8023de, 1}

*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS
Probably caused by : SYMEVENT.SYS ( SYMEVENT+14b09 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e1407000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 8a8023de, If non-zero, the instruction address which referenced the bad memory
    address.
Arg4: 00000001, (reserved)

Debugging Details:
------------------

READ_ADDRESS:  e1407000 Paged pool

FAULTING_IP:
+47a2faf03a4dfc0
8a8023de 668b08          mov     cx,word ptr [eax]

MM_INTERNAL_CODE:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  Standby.exe

TRAP_FRAME:  9a6fe920 -- (.trap 0xffffffff9a6fe920)
ErrCode = 00000000
eax=e1407000 ebx=00000000 ecx=e1e60074 edx=e1406f00 esi=8a809940 edi=00000001
eip=8a8023de esp=9a6fe994 ebp=9a6feb1c iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
8a8023de 668b08          mov     cx,word ptr [eax]        ds:0023:e1407000=????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 8052039a to 804f9f43

STACK_TEXT:  
9a6fe8a0 8052039a 00000050 e1407000 00000000 nt!KeBugCheckEx+0x1b
9a6fe908 805445f0 00000000 e1407000 00000000 nt!MmAccessFault+0x9a8
9a6fe908 8a8023de 00000000 e1407000 00000000 nt!KiTrap0E+0xd0
WARNING: Frame IP not in any known module. Following frames may be wrong.
9a6feb1c 805d00f4 893b6808 00002b94 9a6feb5c 0x8a8023de
9a6feb3c 805b1455 893b6808 00002b94 9a6feb5c nt!PsCallImageNotifyRoutines+0x36
9a6feb84 805b1f32 883541d8 55a20000 9a6fec54 nt!MiMapViewOfImageSection+0x4c1
9a6febe0 805b22f7 00000004 8868be90 9a6fec54 nt!MmMapViewOfSection+0x13c
9a6fec70 ad6c0b09 00000104 ffffffff 015cf4dc nt!NtMapViewOfSection+0x2bd
9a6fed34 8054167c 00000104 ffffffff 015cf4dc SYMEVENT+0x14b09
9a6fed34 00000023 00000104 ffffffff 015cf4dc nt!KiFastCallEntry+0xfc
00000000 00000000 00000000 00000000 00000000 0x23

STACK_COMMAND:  kb

FOLLOWUP_IP:
SYMEVENT+14b09
ad6c0b09 e96e020000      jmp     SYMEVENT+0x14d7c (ad6c0d7c)

SYMBOL_STACK_INDEX:  8

SYMBOL_NAME:  SYMEVENT+14b09

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: SYMEVENT

IMAGE_NAME:  SYMEVENT.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  4dc2165d

FAILURE_BUCKET_ID:  0x50_SYMEVENT+14b09

BUCKET_ID:  0x50_SYMEVENT+14b09

Followup: MachineOwner
---------

sandra.g's picture

Chuck,

Tamper Protection was definitely beefed up for 12.1, including protecting Symantec registry entries and support for 64-bit OSes, but what you're seeing on this machine definitely seems excessive. Each alert means actions taken by the actor process (Photoshop?! I'm as astonished as you are) are being interpreted as an attempt to touch the Symantec process / registry values.

Is there anything about this system that sets it apart--hardware, OS (32-vs-64-bit), applications installed?

There is a newer version of SEP that has just been released, 12.1.1000 (12.1, Release Update 1). Is it possible to upgrade this machine alone to this build to see if the issue abates? Barring that I'd definitely suggest opening a case for further investigation, especially if the 'PAGE_FAULT_IN_NONPAGED_AREA (50)' continues.

From the analysis you listed above--what's standby.exe? A quick search suggests it's a part of Corel PSP...

 READ_ADDRESS:  e1407000 Paged pool
FAULTING_IP:
+47a2faf03a4dfc0
8a8023de 668b08          mov     cx,word ptr [eax]
MM_INTERNAL_CODE:  1
DEFAULT_BUCKET_ID:  DRIVER_FAULT
BUGCHECK_STR:  0x50
PROCESS_NAME:  Standby.exe 

sandra

Symantec, Information Developer
Installation, Migration, Deployment and Patching
User Protection & Productivity, Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best help

Chuck Lavin's picture

HI

There's nothing extraordinary about this PC. It is a 32-bit Windows XP Pro SP3 box. AMD Phenom II X2 550 processor with 3 GB of RAM. 2 TB total drive space. The computer runs the standard Microsoft Office complement of software, in addition to programs for graphics and Web design and programming.

CL
 

Chuck Lavin's picture

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
Event Info:  Open Process
Action Taken:  Logged
Actor Process:  C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE (PID 4356)
Time:  Friday, November 25, 2011  8:16:51 AM

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\SavUI.exe
Event Info:  Open Process
Action Taken:  Logged
Actor Process:  E:\PROGRAM FILES\LOGITECH\SETPOINTP\SETPOINT.EXE (PID 2896)
Time:  Friday, November 25, 2011  8:16:51 AM

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
Event Info:  Open Process
Action Taken:  Logged
Actor Process:  D:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE (PID 3944)
Time:  Friday, November 25, 2011  8:20:56 AM

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\SavUI.exe
Event Info:  Open Process
Action Taken:  Logged
Actor Process:  D:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE (PID 3944)
Time:  Friday, November 25, 2011  8:20:56 AM

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
Event Info:  Open Process
Action Taken:  Logged
Actor Process:  C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE (PID 5192)
Time:  Friday, November 25, 2011  8:22:35 AM

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\SavUI.exe
Event Info:  Open Process
Action Taken:  Logged
Actor Process:  C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE (PID 5192)
Time:  Friday, November 25, 2011  8:22:35 AM

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
Event Info:  Open Process
Action Taken:  Logged
Actor Process:  C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE (PID 2708)
Time:  Friday, November 25, 2011  8:25:03 AM

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\SavUI.exe
Event Info:  Open Process
Action Taken:  Logged
Actor Process:  C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE (PID 2708)
Time:  Friday, November 25, 2011  8:25:03 AM

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
Event Info:  Open Process
Action Taken:  Logged
Actor Process:  C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE (PID 2580)
Time:  Friday, November 25, 2011  8:25:33 AM

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\SavUI.exe
Event Info:  Open Process
Action Taken:  Logged
Actor Process:  C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE (PID 2580)
Time:  Friday, November 25, 2011  8:25:33 AM

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
Event Info:  Open Process
Action Taken:  Logged
Actor Process:  C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE (PID 5276)
Time:  Friday, November 25, 2011  8:28:09 AM

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\SavUI.exe
Event Info:  Open Process
Action Taken:  Logged
Actor Process:  C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE (PID 5276)
Time:  Friday, November 25, 2011  8:28:09 AM

sandra.g's picture

From the 23rd:

There is a newer version of SEP that has just been released, 12.1.1000 (12.1, Release Update 1). Is it possible to upgrade this machine alone to this build to see if the issue abates? Barring that I'd definitely suggest opening a case for further investigation, especially if the 'PAGE_FAULT_IN_NONPAGED_AREA (50)' continues.

Also, what is standby.exe associated with? Is there another real-time scanner of some kind on this machine?

I'd suggest opening a case so that a tech can examine the details of a Support Tool data grab.

sandra

Symantec, Information Developer
Installation, Migration, Deployment and Patching
User Protection & Productivity, Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best help