Video Screencast Help

Tamper protection - how to manage alerts and what to do about them?

Created: 21 Sep 2013 | 1 comment

Hi all,

I've started upgrading our clients to 12.1.3 SEP from 11.x. The new policy has pretty much everything turned on and at default levels (with minor tweaks.)

We've now begun getting lots of tamper protection alerts from the newly upgraded machines. Things touching the SEP registry keys and executables. Lots of random apps are doing this such as:





Most of them are trying to interfear with:

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\ccSvcHst.exe


C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin64\Smc.exe

The VMware one touched all of the registry keys for SEP, the others were pointing towards the SEP EXE's.

Now, there are ooodles of articles, blogs and forum posts suggesting to add exceptions and telling everyone and their dog how to do it.... but I've not come across an article saying WHY I should do it. Now, Symantec put this in for a reason, so I'm not about to blindly turn it off just because someone came knocking at the door!

I've already come across a "fake AV" drive-by download that did successfully kill SEP (11.x). (Thankfully the end-user called us about it!!! I logged it w/Symantec and they now block it, by the way.)

Can someone point me in the direction of a process to follow to identify that I don't have hidden, unknown malware trying to shut down SEP, and to show that, yes, this is actually OK to put an exception in for? Everyone seems quit eager to put in exceptions, and I'm not sure why.

Symantec seem to be very good at putting out detailed documentation on what a feature does, just not much at an operational level on how to best use it. What I'd love to see is an operational manual from Symantec on what to check on a daily basis; how to handle the various types of threats (what to ignore and when to leap from your chair and pull the network cable from a PC.) I know they have a massive two week course that costs 10's of thousands of dollars to attend. Not every company can afford or is large enough to see the benefit in sending staff on that. Something inbetween would be nice. (Yes, I asked our account rep, and he just pointed us at the course and said there's nothing else he could find.)

Any help will be greatly appreceiated.



Operating Systems:

Comments 1 CommentJump to latest comment

Idimple's picture


Please check out the below document,

What should I do when I get a Tamper Protection Alert?

How to Create Exceptions or Exclusions for Tamper Protection Alerts that have already been logged

Creating Tamper Protectin Exception


Your satisfaction is very important to us.If you find above information helpful or it has resolved your issue...please mark it accordingly :)