Disable Tamper Protection

book

Article ID: 156680

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You need to disable the Tamper Protection feature for Symantec Endpoint Protection (SEP) clients.

About Tamper Protection

Tamper Protection provides real-time protection for the Symantec applications that run on servers and clients. It protects Symantec processes and internal objects from the attacks that non-Symantec processes such as worms, trojan horses, viruses, and other security risks may make. Tamper Protection can block or log attempts to modify the Symantec processes or the internal software objects that synchronize Symantec threads and processes.

Resolution

Disable Tamper Protection on a single client

Use this method to disable Tamper Protection on a small number of clients. To disable Tamper Protection on multiple clients, use the method below.

  1. In the SEP client interface, click Change Settings.
  2. Next to Client Management, click Configure Settings.
  3. Click the Tamper Protection tab.
  4. Perform one of the following actions:
    • Uncheck Protection Symantec security software from being tampered with or shutdown. This disables Tamper Protection.
    • Change the drop-down menu to Log only.

      Note: This setting leaves Tamper Protection enabled. However, Tamper Protection will no longer block attempts to modify SEP files, folders, processes, or Registry values.
       
  5. Click OK. Tamper Protection is now disabled for this SEP client.

Disable Tamper Protection on multiple clients

  1. In the Symantec Endpoint Protection (SEPM) console, click Clients.
  2. Select the client-group you want to modify.
  3. Click the Policies tab.
  4. Click General Settings.
  5. Click the Tamper Protection tab.
  6. Perform one of the following actions:
    • Uncheck Protection Symantec security software from being tampered with or shutdown. This disables Tamper Protection.
    • Change the drop-down menu to Log only.

      Note: This setting leaves Tamper Protection enabled. However, Tamper Protection will no longer block attempts to modify SEP files, folders, processes, or Registry values.
       
  7. Click OK. Tamper Protection is disabled for clients within this client-group, and for clients within client-groups that inherit policies from this group. This occurs as soon as the clients receive the updated policy from the SEPM.

Best Practice

It is recommended to create a Tamper Protection exclusion, where possible, rather than disable Tamper Protection altogether.  For details, please see Creating a Tamper Protection exception on Windows clients or Creating exceptions from log events