{"id":123,"date":"2011-11-22T12:20:22","date_gmt":"2011-11-22T17:20:22","guid":{"rendered":"http:\/\/www.heliotropicsystems.com\/blog\/?p=123"},"modified":"2014-09-08T15:37:12","modified_gmt":"2014-09-08T19:37:12","slug":"symantec-offers-overly-aggressive-protection","status":"publish","type":"post","link":"https:\/\/www.heliotropicsystems.com\/blog\/index.php\/symantec-offers-overly-aggressive-protection\/","title":{"rendered":"Symantec Offers Overly Aggressive Protection"},"content":{"rendered":"<p>The newly updated Symantec Protection Suite Small Business Edition 4.0 contains Symantec Endpoint Protection 12.1.\u00a0 As part of that offering, there is a module called \u201cTamper Protection,\u201d which is designed to prevent any form of malware from adversely affecting the operation of the Symantec Software.<\/p>\n<p>As a managed service provider, I am using a third-party software product to monitor and maintain the health of my clients\u2019 servers and workstations.\u00a0 The software takes an inventory of a variety of things and reports back to the data center on a regular basis.\u00a0 I get to view the results on my web-based portal.<\/p>\n<p>Somehow, and quite unfortunately, Symantec Endpoint Protection thinks each of these activities is a threat to its existence, and the default setting for Tamper Protection is to block any offending program.\u00a0 When it does, it places an entry in the Windows Event log.<\/p>\n<div id=\"attachment_125\" style=\"width: 310px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-125\" class=\"size-medium wp-image-125\" title=\"SEPM_EventID45\" src=\"http:\/\/www.heliotropicsystems.com\/blog\/wp-content\/uploads\/SEPM_EventID45.png\" alt=\"Windows EventID 45\" width=\"300\" height=\"229\" srcset=\"https:\/\/www.heliotropicsystems.com\/blog\/wp-content\/uploads\/SEPM_EventID45.png 630w, https:\/\/www.heliotropicsystems.com\/blog\/wp-content\/uploads\/SEPM_EventID45-300x229.png 300w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><p id=\"caption-attachment-125\" class=\"wp-caption-text\">Windows EventID 45<\/p><\/div>\n<p>Of course, my MSP software is designed to keep trying to get its information back to the data center \u2013 so the Event log just fills up with EventID 45 records as it struggles against Symantec Endpoint Protection.<\/p>\n<p>There has to be some way of preventing this.<br \/>\n<!--more--><br \/>\nThe Symantec documentation (Symantec\u2122 Endpoint Protection Small Business Edition Implementation Guide) describes a process whereby you can create exceptions to eliminate this sort of conflict.\u00a0 Terrific, let\u2019s follow the procedure and update the global Exceptions Policy.<\/p>\n<blockquote><p>Creating a Tamper Protection exception<\/p>\n<p>You can create exceptions for Tamper Protection.\u00a0 You might want to create a Tamper Protection exception if Tamper Protection interferes with a known safe application on your client computers.\u00a0 For example, Tamper Protection might block an assistive technology application, such as a screen reader.\u00a0 You need to know the name of the file that is associated with the assistive technology application.\u00a0 Then you can create an exception to allow the application to run.<\/p>\n<p>1. On the Exceptions Policy page, click Exceptions.<\/p>\n<p>2. Click Add &gt; Windows Exceptions &gt; Tamper Protection Exception.<\/p>\n<p>3. In the Add Tamper Protection Exception dialog box, in the Prefix variable drop-down box, select a common folder.<\/p>\n<p>When you select a prefix, the exception can be used on different Windows operating systems.<\/p>\n<p>Select [NONE] if you want to enter the absolute path and file name.<\/p>\n<p>4. In the File text box, type the name of the file.<\/p>\n<p>If you selected a prefix, the path should be relative to the prefix.\u00a0 If you selected [NONE] for the prefix, type the full path name.<\/p>\n<p>5. Click OK.<\/p>\n<p>6. If you are finished with the configuration for this policy, click OK.<\/p><\/blockquote>\n<p>So, I added the offending program files, assigned the updated policy to the server, and thought that all would be well.<\/p>\n<p>Only it wasn\u2019t.\u00a0 Not by a long shot.<\/p>\n<p>The MSP software continued to generate errors.\u00a0 Symantec continued to block it.<\/p>\n<p>Open up the documentation again and do some more reading.\u00a0 Aha!\u00a0 I can change the setting for Tamper Protection from \u201cblock\u201d to \u201clog\u201d and assign the updated policy to the server.<\/p>\n<p>Now that\u2019s better!\u00a0 But only slightly.<\/p>\n<p>The MSP software is now permitted to run; however, Tamper Protection is still logging the encounter as an error and posts EventID 45.<\/p>\n<p>Naturally, I opened up a support case with Symantec.\u00a0 Over the past two days, I have spent more than an hour and a half on this, only to find out that \u201cit is known issue and Symantec is working on this.\u201d<\/p>\n<p>Which is <strong>absurd<\/strong>!\u00a0 This product has been on the market for years, and the latest version is supposed to be the best one yet.\u00a0 How can the basic, built-in, functionality of the product not work the way it is supposed to?<\/p>\n<p>So, I guess I will just have to wait for an update \u2013 after I archive and clear the filled up Event logs from the server.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The newly updated Symantec Protection Suite Small Business Edition 4.0 contains Symantec Endpoint Protection 12.1.\u00a0 As part of that offering, there is a module called \u201cTamper Protection,\u201d which is designed to prevent any form of malware from adversely affecting the operation of the Symantec Software. As a managed service provider, I am using a third-party <span class=\"ellipsis\">&hellip;<\/span> <span class=\"more-link-wrap\"><a href=\"https:\/\/www.heliotropicsystems.com\/blog\/index.php\/symantec-offers-overly-aggressive-protection\/\" class=\"more-link\"><span>Read More &rarr;<\/span><\/a><\/span><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[34,4,32,33,35],"tags":[],"class_list":["post-123","post","type-post","status-publish","format-standard","hentry","category-eventid-45","category-small-business","category-symantec","category-symantec-protection-suite-small-business-edition","category-windows-server-2008-r2"],"_links":{"self":[{"href":"https:\/\/www.heliotropicsystems.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/123","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.heliotropicsystems.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.heliotropicsystems.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.heliotropicsystems.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.heliotropicsystems.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=123"}],"version-history":[{"count":10,"href":"https:\/\/www.heliotropicsystems.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/123\/revisions"}],"predecessor-version":[{"id":187,"href":"https:\/\/www.heliotropicsystems.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/123\/revisions\/187"}],"wp:attachment":[{"href":"https:\/\/www.heliotropicsystems.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=123"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.heliotropicsystems.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=123"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.heliotropicsystems.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=123"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}