Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Tamper protection - how to manage alerts and what to do about them?

Created: 20 Sep 2013 | 1 comment

Hi all,

I've started upgrading our clients to 12.1.3 SEP from 11.x. The new policy has pretty much everything turned on and at default levels (with minor tweaks.)

We've now begun getting lots of tamper protection alerts from the newly upgraded machines. Things touching the SEP registry keys and executables. Lots of random apps are doing this such as:

C:\WINDOWS\SYSTEM32\WERFAULT.EXE

C:\PROGRAM FILES (X86)\SYSTEM CENTER OPERATIONS MANAGER 2007\HEALTHSERVICE.EXE

C:\WINDOWS\CCM\CCMEXEC.EXE

C:\PROGRAM FILES (X86)\VMWARE\VMWARE WORKSTATION\VNETLIB64.EXE

Most of them are trying to interfear with:

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\ccSvcHst.exe

or

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin64\Smc.exe

The VMware one touched all of the registry keys for SEP, the others were pointing towards the SEP EXE's.

Now, there are ooodles of articles, blogs and forum posts suggesting to add exceptions and telling everyone and their dog how to do it.... but I've not come across an article saying WHY I should do it. Now, Symantec put this in for a reason, so I'm not about to blindly turn it off just because someone came knocking at the door!

I've already come across a "fake AV" drive-by download that did successfully kill SEP (11.x). (Thankfully the end-user called us about it!!! I logged it w/Symantec and they now block it, by the way.)

Can someone point me in the direction of a process to follow to identify that I don't have hidden, unknown malware trying to shut down SEP, and to show that, yes, this is actually OK to put an exception in for? Everyone seems quit eager to put in exceptions, and I'm not sure why.

Symantec seem to be very good at putting out detailed documentation on what a feature does, just not much at an operational level on how to best use it. What I'd love to see is an operational manual from Symantec on what to check on a daily basis; how to handle the various types of threats (what to ignore and when to leap from your chair and pull the network cable from a PC.) I know they have a massive two week course that costs 10's of thousands of dollars to attend. Not every company can afford or is large enough to see the benefit in sending staff on that. Something inbetween would be nice. (Yes, I asked our account rep, and he just pointed us at the course and said there's nothing else he could find.)

Any help will be greatly appreceiated.

Cheers,

Steve

Operating Systems:

Comments 1 CommentJump to latest comment

Idimple's picture

Hello,

Please check out the below document,

What should I do when I get a Tamper Protection Alert?

http://www.symantec.com/business/support/index?page=content&id=TECH97931

How to Create Exceptions or Exclusions for Tamper Protection Alerts that have already been logged

http://www.symantec.com/business/support/index?page=content&id=TECH92553

Creating Tamper Protectin Exception

http://symantec.com/docs/HOWTO55213

Cheers!

Your satisfaction is very important to us.If you find above information helpful or it has resolved your issue...please mark it accordingly :)