Video Screencast Help

Tamper protection exception

Created: 17 Oct 2012 | 12 comments

Hello,

 

how to prevent sylink.xml to be protected by Tamper Protection ?

We need to update the file but Tamper protection is enabled and we don't want to disable it.

Exception on the file does not work...

 

Thanks in advacne

Comments 12 CommentsJump to latest comment

Ashish-Sharma's picture

HI,

Check this artical

Tamper Protection Exceptions appear not to be working in SEP 12.1

http://www.symantec.com/business/support/index?page=content&id=TECH178526

Close and re-open the excluded application, or reboot the machine if the excluded executable is a service or other constantly running process.

If a reboot of the machine still does not allow the exclusion to take effect, please see article: TECH171057

Thanks In Advance

Ashish Sharma

 

 

.Brian's picture

Reboot the machine.

What version of SEP are you on?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

greg12's picture

On how many clients do you want to change sylink.xml?

If it's just a small number, try to implement the new sylink.xml by means of the client GUI:

Help > Troubleshooting > Management > Import

Then select sylink.xml. After a few seconds, the client gets the new settings.

This method requires SEP 12.1 clients. On SEP 11 clients, it can only convert unmanaged to managed clients. In this case you have to use the sylinkdrop tool (see SEP 11 CD 2\Tools\NoSupport\SylinkDrop).

 

Mithun Sanghavi's picture

Hello,

Any particular reason, you would like only sylink.xml to be excluded from Tamper Protection?

In SEP 12.1, Tamper Protection prevents direct modification of Symantec files.

Tamper Protection provides real-time protection for Symantec applications that run on servers and clients. It prevents non-Symantec processes such as worms, Trojan horses, viruses, and security risks, from affecting Symantec resources. You can configure the software to block or log attempts to modify Symantec resources.

Check this Article:

About Tamper Protection http://www.symantec.com/docs/HOWTO55267

How to verify Tamper Protection Exclusions in Symantec Endpoint Protection

http://www.symantec.com/docs/HOWTO59127

Incase, if you are looking forward to change the Sylink.xml files on a number of machines and you do not want to disable the Tamper Protection, then why not use the SylinkReplacer for SEP 12.1

SylinkReplacer for SEP 12.1 Utility is available with Symantec Technical Support.

You can log a case on web portal to receive tool.

How to create a new case in MySupport

http://www.symantec.com/business/support/index?page=content&id=TECH58873

Phone numbers to contact Tech Support:-

Regional Support Telephone Numbers:

United States: 800-342-0652 (407-357-7600 from outside the United States)
Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
United Kingdom: +44 (0) 870 606 6000

Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

iamadmin's picture

Hi Xtof,

Yes, I don't believe you can throw a Tamper Protect exception on an XML file, I believe it needs to be an executable.

The program I wrote to replace the Sylink.xml file on SEP 11 and SEP 12.1 clients uses a batch file to determine the version of SEP currently running, and then installs the new Sylink file with either SylinkDrop v1.1 or v1.2.

See the basic logic below:

If ProductVersion < "12.0.0.0" then SylinkDrop11.exe NewSylink.xml

elseif ProductVersion > "12.0.0.0" then SylinkDrop12 NewSylink.xml

I have to use both SylinkDrop versions because, sadly, v1.2 is not backwards compatible. sad

 

For those wondering, there are a few reasons we replace the Sylink file.

1) Moving machines between different network partitions (different sets of SEPM's on each partition)

2) Server failures where you need to redirect (via startup scripts) lots of machines to a new SEPM. Disaster Recovery has never worked reliably for us...replacing the Sylink file does.

3) Quickly moving machines between development and production SEPM's.

4) Quickly moving SEP 11 machines to a new SEP 12.1 server.

Just my .02...

Hope this helps,

-Mike

Xtof's picture

Thanks for your help.

I use a vbscript to move client on a new infrastructure. That is used remotely on client. That's why I don't use sylinkdrop. I just stop services and copy sylink. So I try to find which exception to do (what exe copying file...)

Rgds

iamadmin's picture

With SEP 11, I used the same method as you...

stop the service

replace the file

restart the service

SEP 12.1 and tamper protect don't make that as easy. That is why I moved to SylinkDrop, it works every time, even if Tamper Protect is enabled.

Maybe you could put SylinkDrop on a network share on the remote site/machine and call it via your VB Script? Should work just as well as running it locally.

I can see why Symantec made it tougher to replace the Sylink file with SEP 12.1. If a bad guy were to replace the Sylink file and redirect all the machines in the environment to tainted SEPM's, the outcome could be disastrous.

Good luck!

-Mike

A. Wesker's picture

Hello Xtof,

 

I'm sincerely sorry but unfortunately this type of information is highly and strictly internal for Symantec Support for a very simple reason.

If we provide a way to change a file or registries related to Symantec Endpoint Protection 12.1 without to have to deactivate manually Tamper Protection from the SEPM Console or directly on the SEP client by running it with Administrator priviledges, it would mean that we would provide a way to outbreak completely the security of our product.

For more details, it would mean that we would provide a way to make Tamper Protection completely "useless" and then to make Symantec Endpoint Protection 12.1 more vulnerable which is clearly not the goal to release this new built version of our product.

These changes done about Tamper Protection in SEP 12.1 is also the reason why we strongly encourage all our customers to not stay any longer on older versions of Symantec Endpoint Protection. These changes were done to reduce sligthly the potential vulnerabilities of the product.

At the end, it's the security of the machines of all our customers who are using SEP 12.1 that would be compromised if we reveal a way to outbreak this security self-enforcement for SEP 12.1.

The .exe and process related to Tamper Protection are hidden by design, you couldn't see them even if you run for example a tasklist /m command for an .exe or .dll SEP 12.1 file no matter  with witch user account of your system you run this command.

Example: You could try to run tasklist /m sylink.dll you will see probably some SEP process but you will not see the process linked to Tamper Protection when finally Tamper Protection locks this file like many other Symantec Endpoint Protection files and registries.

What I would sincerely recommend you if you wish to change the communication settings remotely without to have to have to deactivate Tamper Protection temporary from the SEPM Console is to wait Symantec Endpoint Protection 12.1 RU2 which will be available very soon.

In this new version, there will be a new feature included on the SEPM Console in order to change/to update the communication settings of the SEP clients (managed or unmanaged) remotely.

This new feature is really useful as it will support all languages when at this time the Sylink Replacer 12.1 that we have as internal tool and available on request from our customer, it works only with English/UK/US/AUS AD environment.

 

Kind Regards,

A. Wesker

 

 

iamadmin's picture

"In this new version, there will be a new feature included on the SEPM Console in order to change/to update the communication settings of the SEP clients (managed or unmanaged) remotely."

WUHOOO!!!!

I'll sure be glad to get out of the Sylink swapping business!!!!!!

Thanks for the followup A. Wesker

-Mike

A. Wesker's picture

A pleasure Mike cool

 

Kind Regards,

A. Wesker

Sumit G's picture

folow this Step.

Please do the following:

  1. Open the Symantec Endpoint Protection Manager.
  2. Click the Clients tab.
  3. For any group, on the right hand side, select the Policies tab.
  4. In the Location-independent Policies and Settings, click General Settings.
  5. On the General Settings screen, click the Tamper Protection tab.
  6. Verify the option labeled "Protect Symantec security software from being tampered with or shut down."

If this is enabled, the option to stop the Symantec Management Client service (smcservice) from service control manager will be unavailable. If it is disabled, stopping smc from the service control manager is allowed.

Regards

Sumit G.

Sumit G's picture

Hello- Your requirement is fulfil or still it pending?

Regards

Sumit G.