Endpoint Protection

 View Only
  • 1.  endpoint protection 12 tamper protection alert on explorer.exe

    Posted May 22, 2012 11:08 AM

    hello,

    recently installed endpoint protection on all our machines and we notice now that on many -but not all-, mostly Windows 7 -but not sure on that- we get -at least- daily tamper protection alerts on the actor pocess explorer.exe.

    since i think it's rather silly to make and exception for a critical process as explorer.exe, i'd like to search for the root cause of this phenomenom and get it fixed. anyone any ideas on this?

    is there any way to get a report from the management console on which computers this tamper protection error is generated?

    thanks.

    Steven.



  • 2.  RE: endpoint protection 12 tamper protection alert on explorer.exe

    Posted May 22, 2012 11:37 AM

    Can you post a screenshot of the tamper alert? Are you running any custom software on these systems that may be trying to tamper with SEP?



  • 3.  RE: endpoint protection 12 tamper protection alert on explorer.exe

    Posted May 22, 2012 03:31 PM

    is there any way to get a report from the management console on which computers this tamper protection error is generated?

    The best way is to inspect the tamper protection logs on SEPM:

    Monitors > Logs > Log Type: Application and Device Control > Log content: Application Control > Advanced settings > Event type: Tamper protection

    You can export the log and process it in Excel.



  • 4.  RE: endpoint protection 12 tamper protection alert on explorer.exe

    Posted May 23, 2012 05:18 AM
      |   view attached

    ok, here's two screenshots, one from the alert on a client computer, one from the log file (of the same alerts) on my computer. i also add the tamper protection log file from the management console, sorted by description. of course to make it easy this file doesn't give you the same info as the alert itself or my log file (doh!) so no entries for explorer.exe there. I marked both alert entries mentioned above in yellow (between lines 3516 and 3737).

    (thanks to greg12 for the tip, didn't expect tamper protection to be located there)

    S.

    Attachment(s)

    xls
    tamper.xls   1.52 MB 1 version


  • 5.  RE: endpoint protection 12 tamper protection alert on explorer.exe

    Broadcom Employee
    Posted May 23, 2012 05:44 AM

    create an exception

    What should I do when I get a Tamper Protection Alert?
    http://www.symantec.com/business/support/index?page=content&id=TECH97931

    How to Create Exceptions or Exclusions for Tamper Protection Alerts that have already been logged
    http://www.symantec.com/business/support/index?page=content&id=TECH92553

    Creating Tamper Protectin Exception
    http://symantec.com/docs/HOWTO55213



  • 6.  RE: endpoint protection 12 tamper protection alert on explorer.exe

    Trusted Advisor
    Posted May 23, 2012 07:25 AM

    Hello,

    It is very suspicious. Why would Explorer.exe require an access to the Symantec Registries?

    Does this happen on all machines OR on few machines?

    Create a Tamper Protection Exception for the timebeing and then submit the explorer.exe to the Symantec Security Response.

    See Creating a Tamper Protection exception.

    I would also suggest you to submit the file to the Symantec Security Response Team.

    Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

    Hope that helps!!

     



  • 7.  RE: endpoint protection 12 tamper protection alert on explorer.exe

    Posted May 24, 2012 06:29 AM

    checked the management log files again.

    in a total of around 600 machines, over a period of a month, i get the alert on only 33. 32 of them are W7 or W7x64, only one is Vista (pity ;-), but all of them are laptops.
    Alerts occur almost everyday, but not on every laptop. one gets it 24 times in total, some only once. (but that doens't mean that these laptop have only been on once!)
    Alerts happen on irregular times throughout the whole (24h) day so i can't link it to updates or anything as they are deployed at specific times.

    S.
     



  • 8.  RE: endpoint protection 12 tamper protection alert on explorer.exe

    Broadcom Employee
    Posted May 24, 2012 06:31 AM

    did creating exception helped? did you open a support ticket?



  • 9.  RE: endpoint protection 12 tamper protection alert on explorer.exe

    Posted May 24, 2012 08:51 AM

    I've not run across Windows 7 machines touching our reg keys with explorer...so unless there's a good reason for it (such as another program trying to merge a registry backup or something), I'd investigate this machine to ensure it's not infected, rather than just excluding it.

    This also begs the question..."why would explorer need to fiddle with our registry key?"  As it's not something I've seen before on Windows 7...I'd be more inclined to believe something is on this box that's causing that...might be malicious, might not be.

    Excluding explorer.exe, however, really isn't a good option, as you're undercutting SymProtect's ability to prevent tampering with files on the file structure.  With explorer excluded, there's nothing to prevent someone from directly attacking the files on the file structure.

    It might be worthwhile to run procmon and see what's calling explorer that, in turn, is trying to touch our registry key.  At the very *minimum*, you should open a support ticket so we can check for malicious items.