Endpoint Protection

Hi All,

Good Day..

We are using Sep 12.1 RU1 MP1 on a windows Architecture, and some if our  clients we notice that even Tamper protection is enabled (action is block and log, padlock also locked) we are able to edit registry? And could not see anything on Tamper protection log regarding this.

Mean while SCCM is collecting info about SEP, then it is getting blocked and logged (looks Tamper Protection is working )

Any idea’s why this mismatch?

Best Regards

Ajin

what registry value was changed?

Hi Pete,

Thanks for your inputs.

Value of mycomputer\HKEY_LOCAL_MACHINES\SOFTWARE\Symantec\Liveupdate\Preferences\ All Transports Available from 0 to 1

 And I am able to create a new key any where under  mycomputer\HKEY_LOCAL_MACHINES\SOFTWARE\Symantec

Regards

Ajin

since you say the client is RU1 MP1, this should not been seen.

Hi Pete,

Thanks again.

If it is a bug we can try on RU2, but we cannot deploy RU2 with immediate effect on all clients since it requires lot of POC / Approvals and we are operating this solution across Globe.

I will come back with the results after testing on a test bed.

SEPM will be same 12.1 RU1 MP1 and client will be RU 2 does it sounds good?

Regards

Ajin

yep should not be any issue, but as a best practise the SPEM has to be the same version or higher version than that of clients.

this is only for test and let know the outcome.

Can you try if on the same machine you can as well change any other existing entries? (just to exclude the possibility some of the keys are not covered by TP). Take for example the one for SEP debug:

1. Navigate to:  HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC
2. Double-click smc_debuglog_on
3. Change the Value data to 1 and click OK

+ just to check if the Tamper Protection shows as well enabled status in the SEP client GUI itself?

Hi Pete,

Here we go.

Test Bed OS Window 7 Ent 64 Bit with Sep 12.1.2

We have done that tested on SEP 12.1.2 and i am able to modify computer\HKEY_LOCAL_MACHINES\SOFTWARE\Won6432Node\Symantec\Liveupdate\Preferances value from 1to 0.

Since it is also a Symantec Endpoint Related Registry

And registry values under computer\HKEY_LOCAL_MACHINES\SOFTWARE\Symantec\Symantec Endpoint Protection  i am not able to change .

From Client UI Tamper Protection is enabled

Please have a look

Regards

Ajin

Hi Sebastian

Thanks for your inputs.

I have tested the same on a Test bed 12.1.2 over windows 7 .

I am able to modify computer\HKEY_LOCAL_MACHINES\SOFTWARE\Won6432Node\Symantec\Liveupdate\Preferances value from 1to 0.

Since it is also a Symantec Endpoint Related Registry

And registry values under computer\HKEY_LOCAL_MACHINES\SOFTWARE\Symantec\Symantec Endpoint Protection  i am not able to change .

From Client UI Tamper Protection is enabled

Regards

Ajin

It would seem then the Tamper Protections does not necesserily blocks access to all of the SEP registry keys - for sure what I know the SEP system registry keys would be blocked from tampering. Other preferences keys or such may have been left alone and available for changing.

Hi Sebastian

It looks like a Bug / product is designed to work so ?

Regards

Ajin

AFAIK Tamper protection was used to protect Symatnec processes. There were few registry tweaks which were used to uninstall SEP without password. To protect that Symantec now prohibits registry modification of Symantec endpoint folder. Thats why you are able to modify the Livupdate settings.

However if you try to kill Liveupdate from task manager it will say access denied. Its related to only Symantec processs ( .exe files) Plus Symantec endpoint registry alone.

Hi Rafeeq,

Thanks for your inputs.

so user is allowed to change theses settings via registry, is there any other method to Prevent this ? from SEPM side

Regards

Ajin

You should be able to prevent it easily from OS side - GPO for example or access rights to registry keys. But not sure SEPM offers here any other possibilities

Hi Sebastian

Thanks for your inputs

GPO  is a good option . so can we conclude this as below

“As Of now Tamper Protections does not necessarily blocks access to the entire SEP registry keys the SEP system registry keys would be blocked from tampering. Other preferences keys or such may have been left alone and available for changing “

Regards

Ajin

Not possible from SEP as sebastin said you can always use GPO.

Moreover even if you change LU settings in registry those will be reverted back once the client communicates with Manager.