Endpoint Protection

I have SEP 11.x rolled out and use the tamper protection.  I have also disbaled the "Disable Symantec Endpoint Protection" option from the systemtray.  I still have users that simply stop the service, mark it as disabled, and there is nothing I can do about it.  Anyone figured out how to fix this? 

Try this.  Click on the group that you wish to limit in this way and then go to the policies tab.  Open the General Settings and on the security Settings tab you can require that the users need passwords for certain functions.  The one that would help you would be the "Add a password to stop the client service" option.  You check the box and create your password and you are set.

You can also require a password for uninstalling the client as well.

That's done. The problem is when users stop the service under the Windows Control panel. The password requirement you suggest above does not impact the user's ability to stop the service in Windows.

Also, if a user changes the service to disabled and then reboots - they don't even need to stop the service.  SEP should detect the service state as "disabled" and change it back to Automatic and start the service as part of Tamper Protection.

Hi,

does it happen with an administrator account or with a user account? Users accounts have less priviledges to stop the services.
PChilds' suggestion is good.
Try this as well: https://www-secure.symantec.com/connect/forums/users-could-still-disable-sepmv11-clients-tray

Cheers,

Hi,

have you resolved your issue? How?

Regards,

I have not resolved my issue as there is no way to resolve this issue presently.  What i need is for SEP to monitor the status and the startup type of the Symantec Endpoint Protection service.  Currently if I stop the service, tamper protection will restart it, as expected.  This is good.  But if one of my users, who is a local admin, changes the startup type to disabled and reboots, tamper protection will not change the startup type back to automatic and start the service.  SEP stays disabled.

I would expect it to do this.

I think the person using a local admin doing a trick in SEP Client because local admin have  right to disable the services in the services.msc.

As of MR4 MP2, the uninstall password should also prevent a user (even an admin) from stopping the service.  If you type "smc-stop" in the run dialog, you will be prompted for the password.  I am able to change the startup type to disabled in the services panel, but the options to stop or pause the service is greyed out.  Upon reboot, the startup type is back to automatic an the service is in fact running.

In earlier versions of SEP, this was not the case and users could stop the service or even modify which components (like removing device control) without the uninstall password, but this was changed in the latest version.

If you use group policy,  a temporarily solution would be to change the security on the service so that only a specific user or group has permissions to control the service.