Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Tamper protection - how to manage alerts and what to do about them?

  • 1.  Tamper protection - how to manage alerts and what to do about them?

    Posted Sep 21, 2013 03:01 AM

    Hi all,

    I've started upgrading our clients to 12.1.3 SEP from 11.x. The new policy has pretty much everything turned on and at default levels (with minor tweaks.)

    We've now begun getting lots of tamper protection alerts from the newly upgraded machines. Things touching the SEP registry keys and executables. Lots of random apps are doing this such as:

    C:\WINDOWS\SYSTEM32\WERFAULT.EXE

    C:\PROGRAM FILES (X86)\SYSTEM CENTER OPERATIONS MANAGER 2007\HEALTHSERVICE.EXE

    C:\WINDOWS\CCM\CCMEXEC.EXE

    C:\PROGRAM FILES (X86)\VMWARE\VMWARE WORKSTATION\VNETLIB64.EXE

     

    Most of them are trying to interfear with:

    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\ccSvcHst.exe

    or

    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin64\Smc.exe

    The VMware one touched all of the registry keys for SEP, the others were pointing towards the SEP EXE's.

     

    Now, there are ooodles of articles, blogs and forum posts suggesting to add exceptions and telling everyone and their dog how to do it.... but I've not come across an article saying WHY I should do it. Now, Symantec put this in for a reason, so I'm not about to blindly turn it off just because someone came knocking at the door!

    I've already come across a "fake AV" drive-by download that did successfully kill SEP (11.x). (Thankfully the end-user called us about it!!! I logged it w/Symantec and they now block it, by the way.)

    Can someone point me in the direction of a process to follow to identify that I don't have hidden, unknown malware trying to shut down SEP, and to show that, yes, this is actually OK to put an exception in for? Everyone seems quit eager to put in exceptions, and I'm not sure why.

    Symantec seem to be very good at putting out detailed documentation on what a feature does, just not much at an operational level on how to best use it. What I'd love to see is an operational manual from Symantec on what to check on a daily basis; how to handle the various types of threats (what to ignore and when to leap from your chair and pull the network cable from a PC.) I know they have a massive two week course that costs 10's of thousands of dollars to attend. Not every company can afford or is large enough to see the benefit in sending staff on that. Something inbetween would be nice. (Yes, I asked our account rep, and he just pointed us at the course and said there's nothing else he could find.)

    Any help will be greatly appreceiated.

    Cheers,

    Steve

     



  • 2.  RE: Tamper protection - how to manage alerts and what to do about them?

    Posted Sep 21, 2013 03:57 AM

    Hello,

     

    Please check out the below document,

    What should I do when I get a Tamper Protection Alert?

    http://www.symantec.com/business/support/index?page=content&id=TECH97931

     

    How to Create Exceptions or Exclusions for Tamper Protection Alerts that have already been logged

    http://www.symantec.com/business/support/index?page=content&id=TECH92553

     

    Creating Tamper Protectin Exception

    http://symantec.com/docs/HOWTO55213

    Cheers!