Symantec AntiVirus Corporate Tamper Protection Alert

[Kirstin]

I'm receiving notifications from SAVCE v10 Tamper Protection indicating that
Windows Defender is tampering with SAV's executables. I receieve a
notification like the one below for the executables under "C:\Program
Files\Symantec AntiVirus\" and "C:\Program Files\Common Files\Symantec
Shared\":
------------------------------------------------------
SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Symantec AntiVirus\vpc32.exe
Event Info: Open Process
Action Taken: Logged
Actor Process: C:\Program Files\Windows Defender\MsMpEng.exe (PID 1248)
Time: Wednesday, February 15, 2006 7:32:11 PM
------------------------------------------------------

I excluded the above mentioned directories under Windows Defender's Advanced
Options, but the alerts continue to keep occuring everytime WD real-time or
scheduled scans occur.

Why isn't Windows Defender skipping these Symantec directories?

 

[Bill Sanderson]

There's another thread on this same issue in another group. A different
SAVCE v10 user states that he doesn't see this on his install.

Is this Tamper Protection something that isn't on by default?

I believe Microsoft is aware of this issue--but I'm not sure who will need
to fix it.

 

[Guest]

Bill You are correct tamper protection has to be switched on it is not a
default setting I had this with beta 1 as well so just turned tamper
protetction off again

 

[Bill Sanderson]

Thanks--that may explain why the issue exists--and perhaps, it should
continue to exist. It may be very appropriate that you are getting that
nofication. And, it may open a security hole to exclude that folder from
Windows Defenders' scanning.


--

 

[Robert Williams]

Thanks--that may explain why the issue exists--and perhaps, it should
continue to exist. It may be very appropriate that you are getting that
nofication. And, it may open a security hole to exclude that folder from
Windows Defenders' scanning.

The question remains, why is Defender tampering with Symantec?

I currently only have Defender installed on my computer, because I cannot have
all the other employees in the office bugging me every morning about the
Symantec "Errors" they keep getting. And I'm not going to turn off the Symantec
Tamper Protection.

It seems every morning I start my computer I get two Tamper Warnings (I
currently have Tamper Protection set to "Log Only" so that Defender can
continue), one is a warning against the vptray.exe program which tells me it is
trying to stop the Symantec traybar process
(http://www.liutilities.com/products/wintaskspro/processlibrary/vptray/). The
other warning is the ccEvtMgr.exe service that it is trying to stop.

Defender's predecessor(s) (Microsoft Anti-Virus) never seemed to have a problem
with Symantec, why does defender?

 

[Bill Sanderson]

Sorry for the delay. I don't really have any answers about this issue.
Windows Defender is better at what it does--it works differently from
Microsoft Antispyware, in terms of its hooks into the system. Microsoft and
Symantec are going to need to work this issue out, and I can't predict how
long that will take, I'm afraid.

I'm quite sure that Windows Defender is not trying to stop any Symantec
processes or services, and that the tampering alarms are a technical issue,
not a sign of an attempt to sabotage the application.

--

 

[Steve Dodson [MSFT]]

Can you reply back to the thread and let me know exact repro steps?

--
-steve

Steve Dodson [MSFT]
Windows Defender Beta Lead
MCSE, CISSP
http://blogs.technet.com/stevedod
--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

 

[Bill Sanderson MVP]

Looking at just this thread, here's the nearest I can come:

Install Symantec Corporate Antivirus Version 10.x

Check the help for that product for information about enabling the "Tamper
Protection Alert" functionality--I believe this is optional, not turned on
by default.

Turn that on, then run manual or scheduled scans with Windows Defender on
the system.

I think that's the best I can do with this thread--I'll see if I can spot
whether other Symantec product versions are involved as well. I do have one
client using Symantec Corporate Antivirus, but I think they are on 9, rather
than 10--will see, and if I can get better repro steps, or see this first
hand, I'll let you know.

http://www.symantec.com/Products/enterprise?c=prodinfo&refId=805&cid=1008

should be the product involved- I haven't spotted whether there's a trial
download or not, I suspect not.


--

Can you reply back to the thread and let me know exact repro steps?

--
-steve

Steve Dodson [MSFT]
Windows Defender Beta Lead
MCSE, CISSP
http://blogs.technet.com/stevedod
--

This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

Sorry for the delay. I don't really have any answers about this issue.
Windows Defender is better at what it does--it works differently from
Microsoft Antispyware, in terms of its hooks into the system. Microsoft
and Symantec are going to need to work this issue out, and I can't
predict how long that will take, I'm afraid.

I'm quite sure that Windows Defender is not trying to stop any Symantec
processes or services, and that the tampering alarms are a technical
issue, not a sign of an attempt to sabotage the application.

 

[lbtf73_99]

I just came across this thread and thought I'd put my .02 in. I am running into the exact same problem that is referenced in this thread I am running SAV 10.0.2.2000. I can; at will reproduce this error by just opening up SAV in my system try and hitting live update. This only started occuring after my installation of Defender. You are also correct that Tamper Protection is disabled by default.

SYMANTEC TAMPER PROTECTION ALERT
Target: C:\Program Files\Symantec AntiVirus\vpc32.exe
Event Info: Open Process
Action Taken: Logged
Actor Process: C:\Program Files\Windows Defender\MsMpEng.exe (PID 1592)
Time: Wednesday, May 10, 2006 2:47:36 PM

 

[chealey]

Same probem here too. Mine only started today - I have had SAVCE 10.0.2.2000 runnning for a while along with Defender but today I rolled out the SAVCE updates 10.0.2.2020 and 10.0.2.2021 it it occured both times and anytime that i click on the shield in the sys tray. In checking the software Explorer from Defender says the right version info on it and notes that it is signed by verisign but the only thing is that i cannot get updates for Defendoer so maybe it does not "know" about this new SAV Client???

i will post back if I learn anything new.

 

[Redfire 05GT]

Tamper Protection Alert problem solved

I just started having this problem with Tamper Protection alerts on Monday, 3 days ago. No changes other than scheduled automatic updates to Windows, SAV and PestPatrol. Alerts were being triggered by several apps but namely rundll32.exe ("rundll32 nView.dll,nViewInitialize") and PestPatrol. PP was the worst with 6 or 7 alerts avery 10-20 seconds.

SAV Corporate was 10.0.0.120. (not 100% sure on the 4th number number)

I just installed 10.1.0.391 (scan engine 61.1.0.11), rebooted and problem solved.