Tamper Protection Alerts are getting out of hand
Hi --
I have a Windows XP Pro SP3 PC running the SEP client v 12.1.671.4971. This PC spits out daily SEP Tamper Protection Alerts, sometimes several at a time, referencing just about any program that's run on the PC. It's even spat out alerts for the SmcGUI app itself.
We've checked the computer for viruses and malware using a variety of different programs. (SEP itself certifies the PC as being clean.) We've updated the SEP client -- I believe v 12.1.671.4971 is the update. If anything, the tamper protection alerts are increasing in frequency.
Apart from the major annoyance, we have a "boy who cried 'wolf'" situation going on. The user simply dismisses the alert window without bothering to look at it anymore.
How do I correct this problem?
Thanks
Comments 14 Comments • Jump to latest comment
Log on to SEPM and unchek the tamper protection notification.
Regards
Sayan
http://www.symantec.com/business/support/index?page=products&locale=en_us
Can you please post the screen shot of the Tamper Protection Alert.
The latest one is attached. Of the 3 warnings queued up in that dialog, 2 reference Internet Explorer and 1 references the Logitech mouse software.
Past warnings have referenced Microsoft Word, Excel, Outlook, Expression Web, and Publisher; CorelDRAW and Corel PhotoPAINT; several components of SEP itself; Firefox; Century's TinyTERM; FileZilla; Quickbooks; Microsoft ActiveSync; PHPEdit; TextPad -- just about every program that's used with any regularity on this PC.
Thanks
CL
Here we go again ...
This time it piled up 6 notifications:
Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
Event Info: Open Process
Action Taken: Logged
Actor Process: D:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE11\OUTLOOK.EXE (PID 4332)
Time: Monday, November 21, 2011 8:28:54 AM
Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\SavUI.exe
Event Info: Open Process
Action Taken: Logged
Actor Process: E:\PROGRAM FILES\LOGITECH\SETPOINTP\SETPOINT.EXE (PID 3140)
Time: Monday, November 21, 2011 8:28:56 AM
Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
Event Info: Open Process
Action Taken: Logged
Actor Process: D:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE11\OUTLOOK.EXE (PID 4332)
Time: Monday, November 21, 2011 8:28:54 AM
Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
Event Info: Open Process
Action Taken: Logged
Actor Process: C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE (PID 6340)
Time: Monday, November 21, 2011 8:29:07 AM
Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
Event Info: Open Process
Action Taken: Logged
Actor Process: C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE (PID 6340)
Time: Monday, November 21, 2011 8:29:07 AM
Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\SavUI.exe
Event Info: Open Process
Action Taken: Logged
Actor Process: D:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE11\OUTLOOK.EXE (PID 4332)
Time: Monday, November 21, 2011 8:29:15 AM
Can you try creating tamper protection exception to these files on Symantec endpoint protection manager.
What do you want me to do -- create daily exceptions for every program this PC runs? Today's alerts included warnings on Firefox, Photoshop and Adobe Reader in addition to other "usual suspects."
A security program that repeatedly alerts day in and day out for no immediately obvious reason is just as useless as no security program at all. Obviously there's something going on with this PC -- I don't have complaints of this problem on other PCs in this office. But I've run out of ideas here. I've extensively tested this PC for viruses, Trojans, rootkits and similar nasties using a whole fleet of programs. SEP was reinstalled on this PC. Then SEP was upgraded on this PC. According to everything we've checked, SEP is the only security program running on this PC -- and this includes the Windows Firewall, which shows that it is off per server policy. SEP shows everything green and up to date (see attached screencap). How do I troubleshoot this from this point (and fix this)?
Thanks
CL
Now the PC is throwing BSODs -- two this week, seemingly at random. When the computer recovers, it blames the antivirus program for the crash. See image attached.
This time, when Windows opened IE to display the crash analysis page, a SEP Tamper Protection Alert screen popped up citing IE.
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.101209-1647
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Wed Nov 23 08:30:26.286 2011 (UTC - 5:00)
System Uptime: 1 days 23:40:13.187
Loading Kernel Symbols
...............................................................
................................................................
......................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd500c). Type ".hh dbgerr001" for details
Loading unloaded module list
...............................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 50, {e1407000, 0, 8a8023de, 1}
*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS
Probably caused by : SYMEVENT.SYS ( SYMEVENT+14b09 )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e1407000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 8a8023de, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000001, (reserved)
Debugging Details:
------------------
READ_ADDRESS: e1407000 Paged pool
FAULTING_IP:
+47a2faf03a4dfc0
8a8023de 668b08 mov cx,word ptr [eax]
MM_INTERNAL_CODE: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: Standby.exe
TRAP_FRAME: 9a6fe920 -- (.trap 0xffffffff9a6fe920)
ErrCode = 00000000
eax=e1407000 ebx=00000000 ecx=e1e60074 edx=e1406f00 esi=8a809940 edi=00000001
eip=8a8023de esp=9a6fe994 ebp=9a6feb1c iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
8a8023de 668b08 mov cx,word ptr [eax] ds:0023:e1407000=????
Resetting default scope
LAST_CONTROL_TRANSFER: from 8052039a to 804f9f43
STACK_TEXT:
9a6fe8a0 8052039a 00000050 e1407000 00000000 nt!KeBugCheckEx+0x1b
9a6fe908 805445f0 00000000 e1407000 00000000 nt!MmAccessFault+0x9a8
9a6fe908 8a8023de 00000000 e1407000 00000000 nt!KiTrap0E+0xd0
WARNING: Frame IP not in any known module. Following frames may be wrong.
9a6feb1c 805d00f4 893b6808 00002b94 9a6feb5c 0x8a8023de
9a6feb3c 805b1455 893b6808 00002b94 9a6feb5c nt!PsCallImageNotifyRoutines+0x36
9a6feb84 805b1f32 883541d8 55a20000 9a6fec54 nt!MiMapViewOfImageSection+0x4c1
9a6febe0 805b22f7 00000004 8868be90 9a6fec54 nt!MmMapViewOfSection+0x13c
9a6fec70 ad6c0b09 00000104 ffffffff 015cf4dc nt!NtMapViewOfSection+0x2bd
9a6fed34 8054167c 00000104 ffffffff 015cf4dc SYMEVENT+0x14b09
9a6fed34 00000023 00000104 ffffffff 015cf4dc nt!KiFastCallEntry+0xfc
00000000 00000000 00000000 00000000 00000000 0x23
STACK_COMMAND: kb
FOLLOWUP_IP:
SYMEVENT+14b09
ad6c0b09 e96e020000 jmp SYMEVENT+0x14d7c (ad6c0d7c)
SYMBOL_STACK_INDEX: 8
SYMBOL_NAME: SYMEVENT+14b09
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: SYMEVENT
IMAGE_NAME: SYMEVENT.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 4dc2165d
FAILURE_BUCKET_ID: 0x50_SYMEVENT+14b09
BUCKET_ID: 0x50_SYMEVENT+14b09
Followup: MachineOwner
---------
Chuck,
Tamper Protection was definitely beefed up for 12.1, including protecting Symantec registry entries and support for 64-bit OSes, but what you're seeing on this machine definitely seems excessive. Each alert means actions taken by the actor process (Photoshop?! I'm as astonished as you are) are being interpreted as an attempt to touch the Symantec process / registry values.
Is there anything about this system that sets it apart--hardware, OS (32-vs-64-bit), applications installed?
There is a newer version of SEP that has just been released, 12.1.1000 (12.1, Release Update 1). Is it possible to upgrade this machine alone to this build to see if the issue abates? Barring that I'd definitely suggest opening a case for further investigation, especially if the 'PAGE_FAULT_IN_NONPAGED_AREA (50)' continues.
From the analysis you listed above--what's standby.exe? A quick search suggests it's a part of Corel PSP...
sandra
Symantec, Information Development, IMDP
Symantec Endpoint Protection / Core Security Engineering Group
Don't forget to mark your thread as 'solved' with the answer that best helped you!
HI
There's nothing extraordinary about this PC. It is a 32-bit Windows XP Pro SP3 box. AMD Phenom II X2 550 processor with 3 GB of RAM. 2 TB total drive space. The computer runs the standard Microsoft Office complement of software, in addition to programs for graphics and Web design and programming.
CL
Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
Event Info: Open Process
Action Taken: Logged
Actor Process: C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE (PID 4356)
Time: Friday, November 25, 2011 8:16:51 AM
Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\SavUI.exe
Event Info: Open Process
Action Taken: Logged
Actor Process: E:\PROGRAM FILES\LOGITECH\SETPOINTP\SETPOINT.EXE (PID 2896)
Time: Friday, November 25, 2011 8:16:51 AM
Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
Event Info: Open Process
Action Taken: Logged
Actor Process: D:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE (PID 3944)
Time: Friday, November 25, 2011 8:20:56 AM
Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\SavUI.exe
Event Info: Open Process
Action Taken: Logged
Actor Process: D:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE (PID 3944)
Time: Friday, November 25, 2011 8:20:56 AM
Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
Event Info: Open Process
Action Taken: Logged
Actor Process: C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE (PID 5192)
Time: Friday, November 25, 2011 8:22:35 AM
Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\SavUI.exe
Event Info: Open Process
Action Taken: Logged
Actor Process: C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE (PID 5192)
Time: Friday, November 25, 2011 8:22:35 AM
Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
Event Info: Open Process
Action Taken: Logged
Actor Process: C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE (PID 2708)
Time: Friday, November 25, 2011 8:25:03 AM
Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\SavUI.exe
Event Info: Open Process
Action Taken: Logged
Actor Process: C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE (PID 2708)
Time: Friday, November 25, 2011 8:25:03 AM
Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
Event Info: Open Process
Action Taken: Logged
Actor Process: C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE (PID 2580)
Time: Friday, November 25, 2011 8:25:33 AM
Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\SavUI.exe
Event Info: Open Process
Action Taken: Logged
Actor Process: C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE (PID 2580)
Time: Friday, November 25, 2011 8:25:33 AM
Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
Event Info: Open Process
Action Taken: Logged
Actor Process: C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE (PID 5276)
Time: Friday, November 25, 2011 8:28:09 AM
Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\SavUI.exe
Event Info: Open Process
Action Taken: Logged
Actor Process: C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE (PID 5276)
Time: Friday, November 25, 2011 8:28:09 AM
Is there anybody out there?
From the 23rd:
There is a newer version of SEP that has just been released, 12.1.1000 (12.1, Release Update 1). Is it possible to upgrade this machine alone to this build to see if the issue abates? Barring that I'd definitely suggest opening a case for further investigation, especially if the 'PAGE_FAULT_IN_NONPAGED_AREA (50)' continues.
Also, what is standby.exe associated with? Is there another real-time scanner of some kind on this machine?
I'd suggest opening a case so that a tech can examine the details of a Support Tool data grab.
sandra
Symantec, Information Development, IMDP
Symantec Endpoint Protection / Core Security Engineering Group
Don't forget to mark your thread as 'solved' with the answer that best helped you!
I'm getting the same issue, any help?
Would you like to reply?
Login or Register to post your comment.