Problem:
There are tamper alerts regarding a Java (jqs.exe) process on client machines since Symantec Endpoint Protection (SEP) has been upgraded from 11.0 to 12.1. This does not occur on all clients.
Tamper protection is configured to "Block".
The file has been submitted to Security Response and it is clean.
Environment:
Windows XP computer with SEP 12.1 and Java 1.6 u26.
Cause:
JQS.exe try to reach SEP processes (i.e. ccSvcHst.exe, smc.exe), but not stopping them. This may be an incompatibility between JQS.exe and SEP 12.1.
Solution:
Workaround:
- Go to JQS.exe from Control Panel > Java > Advanced > Misc. and uncheck Java Quick Starter
or
- Create Centralized Exception to exclude JQS.exe from Tamper detection:
- Log in to the SEPM (Symantec Endpoint Protection Manager)
- Go to Policies -> Centralized Exceptions -> Add a Centralized Exception Policy
- Click on Centralized Exceptions
- Click on Add -> Windows Exception -> Tamper Protection Exception
- Choose Prefix: [PROGRAM_FILES] and write to File: \Java\JRE6\BIN\JQS.EXE
Check Public KB for more reference:
http://www.symantec.com/docs/TECH165939