Endpoint Protection

After upgrading our clients from either SEP 11.0.6300 or 12.1.671 to 12.1.1000 (RU1) Tamper Protection begins blocking many valid applications (Word, Excel, notepad, explorer, RDP, Cisco VPN....)  We have no application policies in place and we have not made any other changes. Removing 12.1.RU1 and reisntalling a previous version will resolve the issue but as soon as the machine is upgraded back to 12.1.RU1 the problem comes back. We have provided many logs to Symantec but they have not been able to come up with anything. Has anyone seen this behavior or have any ideas?

Hello Hugh,

I'm not sure about what problem is but if you know the names of applications you can create exceptions for Tamper Protection under a Exception Policy.

Regards,

Oykun

Hi,

For testing purpose have you tried with fresh SEP 12.1 RU1 install ?

While blocking application what error it's throwing ?

We have a copy of either 11.0.6300 or 12.1.671 on our image, I'll stand up a clean image and test w/ 12.1 RU1 and see what happens.

The tamper protection logs that the process in question (whatever app it thinks it the offender) it attempting to shutdown the symantec services. Disabling tamper protection completely is the only way to get the machine back into a functional state.

Please check for any firewall rule blocking..

We had the same problems, once upgraded to 12.1RU1, the machines ran crazy with TamperProtection Errors (Java, Novell, Outlook, etc.).

The only way to get rid of that was deactivating the feature, as there were simply too many Apps to create exceptions for all of them.

This happens on machines that do not even have the firewall component installed.

That makes me feel a lot better. Symantec has been telling me that no one else has reported this to them and that it is something wrong with our image. I have been asking around and have heard of this problem at a few other businesses as well. Even if we don't have a solution yet at least I know it isn't just us. Maybe the next version of the software will fix this, who knows. It's irritating that they won't be honest about the scope of the issue.

It does happen on a clean image with a new install as well. What's strange is that you can have an application open for an hour or more and all of a sudden tamper protection will flag it as attempting to interfere with the Symantec services. Even simple apps like notepad do this.

I have had a case open for weeks and provided endless detailed logs with no luck. Now tech support is asking for a copy of our image. Our management is reluctant to provide one since it is becoming apparent that this is a widespread issue and not just something specific to us. (we've contacted several other accounts and all are reporting the same behavior) I hate to just disable tamper protection entirely because that will leave the machines vulnerable but that looks like our only option at this point.

I am haviing a similar problem and just want to know how I can disable Tamper Protection from SEPM v12.1?  I understand that I can add exclusions, but I can't seem to find the option to disable Tamper protection. I don't want to disable Tamper protection from the client side, I want to know how it can be done on the SEPM side.  In which policy can I find and disable Tamper protection?

Any help is appreciated

Sorry, didn't reply to the right post.

Thanks!!  I was looking for this in the Policies, where mostly every other related setting is located (including exclusions - Hey, an oxymoron!!).  Silly me.  I'll try to think outside the box next time.

Tamper Protection notifications have been removed from the latest version. You may be interested in this post if you haven't already seen it:

http://www.symantec.com/connect/forums/tamper-protection-notification-options-are-missing-sep-client-and-sepm-user-interface