Endpoint Protection

Hello,

I just started receivng the tamper protection alert below today from one of our client computers:

Caller process Target: C:/Program Files/Symantec/Symantec Endpoint Protection/SescLU.exe Symantec.SyKnAppS.SingleAccess
Description: Symantec.SyKnAppS.SingleAccess

Does anyone know anything about what might cause this?  Whatever is causing it seems to be getting blocked which makes me happy.  However, the machine scans clean and pretty much all the settings are locked down so the user cannot tamper with anything.  I've tried removing the client from the SEPM and letting find it again,  but no luck.  It seems to regenerate the warning everytime the machine reboots.  I did a search and found very litte pertaining to this warning so I hoped someone here might be able to help.

Thank you in advance.

Adrian

Hi,

Did you check the logs in the SEP client? If you open up the PTP logs, that may indicate the underlying cause of the issue.

Aniket

 Tamper protection is protecting symantec processes from other services / process from tampering.
Most of the times it would be viruses which tries to disable AV so that its job becomes easier.
However even legitimate programs too generate this tamper protection alert.
When you get the tamper protection alert you should check the Actor process, that would tell you who is in conflict.

for ex: Actor Process: c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (PID 348)
which is a legitimate logitech process.

It detects uphclean.exe too

when two services trying to access same resourcess and one trying to close the thread of other process, I think this alert will be generated. if the programs is legitimate please create an exception.
I think the program is legitimate thats the reason why the scan returned nothing

Tamper Protection is detecting UPHClean.exe.
http://service1.symantec.com/SUPPORT/ent-security.nsf/2326c6a13572aeb788257363002b62aa/2e9986d4443d81d7882574c8007e60ac?OpenDocument

How to configure Tamper Protection in Symantec Endpoint Protection 11.0

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007092616550248?Open&seg=ent

Aniket - I did check the PTP logs on the machine but nothing was listed in either the Threat or System logs.

Rafeeq - I appreciate your help, but I don't think I quite understand everything you posted.  How do I check the Actor Process to determine what the conflict is?  What is UPHClean.exe?  What indicates that it is being detected?  I have added other items to the exception policy so that won't be a problem.  I guess I would like to understand this a little better before I put any changes into place.

Thank you.

I'm sorry if I confused you :)
when you get a tamper protection alert
one will be source ( actor process)
and one will be target of course symantec services
you need to check what your actor process are, who is trying to stop  symantec process? 
if the actor process is genuine like uphclear or any of your internal application you can then create
a tamper protection exception for that process...still confusing  ? :)

Rafeeq - I think I understand what you are saying, but I don't think I am getting the information I need to create the appropriate exception.  The warnings I am getting are shown in the picture below.  I have cleared out the group and computer information for security purposes, but everything else is as I receive it.  If you can help me figure out what is causing the conflict I would greatly appreciate it.
 
Thank you.

I'm sorry did not see this earier
you need to create an exception for sesclu.exe from tamper protection

Please check these discussion they had the same issue.

https://www-secure.symantec.com/connect/forums/tamper-protection-alert-caused-sep-module


http://forums.citrix.com/thread.jspa?messageID=1420436

Rafeeq - You were correct about that.  I created an tamper protection exception for sesclu.exe and rebooted the computer several times and it hasn't come back once.

Thank you very much!

Adrian