Endpoint Protection

 View Only
  • 1.  Event Executable file change denied

    Posted Mar 03, 2011 10:18 AM

    Good

    Can you tell me what action to take to the next event "Executable file change denied ", or it means this event.

    Thank you very much.

     



  • 2.  RE: Event Executable file change denied

    Posted Mar 03, 2011 10:21 AM

    Where are you seeing this? Can you post a screenshot?



  • 3.  RE: Event Executable file change denied

    Posted Mar 03, 2011 10:40 AM

    Are you running an upgrade to an installation, maybe a home made app or something that SEP might find "sketchy"? 

    You can try to add it to the exceptions and exclude it from being scanned/monitored.

    Alternatively, shutting down SEP on the machine while upgrading the software, if this is the case.



  • 4.  RE: Event Executable file change denied
    Best Answer

    Posted Mar 03, 2011 12:14 PM

    If you have Network Application Monitoring (NAM) enabled and a program is updated this would change the file's hash value. The Hash value is how SEP is going to identify a particular file, as this is unique to that specific file as opposed to the file's name, which could be changed.

    Based on what you've stated I'm suspecting that NAM is enabled and that the user had received a pop-up dialog stating that the particular file in question had been changed since the last time it had been run. If the user were to choose to block this process in the dialog you would see this information logged.

    If this client is not managed, NAM is enabled by default.

    To disable Network Application Monitoring open the SEP client:

    1. Click on Change Settings on the left.
    2. Click on Configure Settings next to Network Threat Protection
    3. Click on the Firewall tab.
    4. Uncheck "Enable network application monitoring"
    5. Click OK.

    If this client is managed, you would need to make this change from within the SEPM console.

    The following document will assist with using the SEPM to modify this policy.

    http://www.symantec.com/business/support/index?page=content&id=TECH102994&locale=en_US