ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Tamper Protection is blocking cscript.exe

book

Article ID: 171816

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Tamper Protection randomly starts blocking cscript.exe on some of your systems.
 

4/25/2018 7:13:08 AM    Symantec Endpoint Protection Client    Information    Symantec Endpoint Protection Client   NT AUTHORITY\SYSTEM    45
"Scan type: Tamper Protection
Scan Event: Tamper Protection Detection
Security risk detected: C:\WINDOWS\SYSTEM32\CSCRIPT.EXE
File: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.0.3876.1100.105\Temp\temp\get-BitLockerStatus.ps1
Location: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.0.3876.1100.105\Temp\temp"

 

Cause

During Windows Update, the order of file creation is new files first, certificate catalog representing these files last. During the update, created files are touched or even loaded in memory causing our protection technologies to scan. These scans result in certificate resolution, and since the catalog file is not present, we cache the unsigned state. For performance reasons, our cached result for the certificate presence (or lack thereof) is going to be retained until the file in question is modified. This causes us to not look for the certificate presence for the file because it is not modified again. This causes incorrect information about cscript.exe not being signed by Microsoft and the problems associated with it. Microsoft is aware of this issue.

Environment

SEP 14.x

Resolution

Sonar Engine 11.5 resolves this issue.