Endpoint SWAT: Protect the Endpoint Community

 View Only

  • 1.  ADC policy set to block autorun.inf but is blocking app with no rule name

    Posted Nov 09, 2017 03:28 AM

    SEP 14Mp2

    Created a SEP ADC policy where only autorun.inf is enabled(production). Under the application and control logs, we find an app being blocked and the
    target is the "ccSvcHst.exe" . There is no rule associated with the log entry. Any ideas why?



  • 2.  RE: ADC policy set to block autorun.inf but is blocking app with no rule name

    Posted Nov 09, 2017 06:19 AM

    Are you sure it's not coming from tamper protection? If not, perhaps a screenshot will help/



  • 3.  RE: ADC policy set to block autorun.inf but is blocking app with no rule name

    Posted Nov 09, 2017 06:52 AM

    When I do a log report and I select Tamper protection it DOES show up, however, why would the app (cisco agent) be trying to tamper with SEP?



  • 4.  RE: ADC policy set to block autorun.inf but is blocking app with no rule name
    Best Answer

    Posted Nov 09, 2017 06:59 AM

    It doesn't just happen with Cisco. There are a ton processes that try to "tamper" with Symantec processes. I see it with Microsoft in general, webex, Citrix, etc. However, what it boils down to is getting that info from the 3rd party vendor and they won't have a clue as to why. If you trust it, exclude it. If not, let tamper protection continue to work.