Endpoint Protection

View Only

Back to discussions

Expand all | Collapse all

SEP 12.1 Tamper Protection Scan with CCMEXEC.EXE (SCCM 2012)

Jump to Best Answer

1. SEP 12.1 Tamper Protection Scan with CCMEXEC.EXE (SCCM 2012)

Recommend
D-M
Posted Oct 22, 2015 11:04 PM

Reply Reply Privately
Hi Everyone

Our SCCM client has been upgraded from SCCM 2007 to 2012.

Now, when the PC is rebooted, we are getting this in eventlogs on all the workstations.

------------------

Scan type: Tamper Protection Scan

Event: Tamper Protection Detection

Security risk detected: C:\WINDOWS\CCM\CCMEXEC.EXE

File: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Bin\DWHWizrd.exe

Location: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Bin

Computer: computername

User: SYSTEM

Action taken: Leave Alone

Date found: Thursday, 22 October 2015 7:17:47 AM

--------------------

Sometimes, this comes up with different filename:

File: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Bin\ccSvcHst.exe

If i restart the SCCM client service (ccmexec) this event gets logged straight away.

Does anyone know why this is happening? False positive?

Could CCMEXEC be doing its own kind of scan when starting up, that is upsetting SEP?

Any workaround?

Thanks,

DM
2. RE: SEP 12.1 Tamper Protection Scan with CCMEXEC.EXE (SCCM 2012)
Best Answer

Recommend
PraveenAyappan
Posted Oct 23, 2015 12:45 AM

Reply Reply Privately
Have you tired to add a Tamper protection exception and set the action to ignore ?
3. RE: SEP 12.1 Tamper Protection Scan with CCMEXEC.EXE (SCCM 2012)
Best Answer

Recommend
Trusted Advisor

GeoGeo
Posted Oct 23, 2015 03:23 AM

Reply Reply Privately
If the location remains the same all the time add it in to the tamper protection exceptions policy should resolve the issue.
4. RE: SEP 12.1 Tamper Protection Scan with CCMEXEC.EXE (SCCM 2012)
Best Answer

Recommend
ℬrίαη
Posted Oct 23, 2015 06:17 AM

Reply Reply Privately
Add it as an exception

What should I do when I get a Tamper Protection Alert?
5. RE: SEP 12.1 Tamper Protection Scan with CCMEXEC.EXE (SCCM 2012)

Recommend
D-M
Posted Oct 27, 2015 05:39 PM

Reply Reply Privately
Thanks all.

I have also been told that 12.1.6 should fix this issue.

Will add it as an exception and trial 12.1.6 client as well.

Cheers. DM.

Endpoint Protection

SEP 12.1 Tamper Protection Scan with CCMEXEC.EXE (SCCM 2012)

D-MOct 22, 2015 11:04 PM

PraveenAyappanOct 23, 2015 12:45 AMBest Answer

GeoGeoOct 23, 2015 03:23 AMBest Answer

ℬrίαηOct 23, 2015 06:17 AMBest Answer

D-MOct 27, 2015 05:39 PM

1. SEP 12.1 Tamper Protection Scan with CCMEXEC.EXE (SCCM 2012)

2. RE: SEP 12.1 Tamper Protection Scan with CCMEXEC.EXE (SCCM 2012) Best Answer

3. RE: SEP 12.1 Tamper Protection Scan with CCMEXEC.EXE (SCCM 2012) Best Answer

4. RE: SEP 12.1 Tamper Protection Scan with CCMEXEC.EXE (SCCM 2012) Best Answer

5. RE: SEP 12.1 Tamper Protection Scan with CCMEXEC.EXE (SCCM 2012)

2. RE: SEP 12.1 Tamper Protection Scan with CCMEXEC.EXE (SCCM 2012)
Best Answer

3. RE: SEP 12.1 Tamper Protection Scan with CCMEXEC.EXE (SCCM 2012)
Best Answer

4. RE: SEP 12.1 Tamper Protection Scan with CCMEXEC.EXE (SCCM 2012)
Best Answer