Tamper Protection is blocking cscript.exe
search cancel

Tamper Protection is blocking cscript.exe


Article ID: 171816


Updated On:


Endpoint Protection


Tamper Protection randomly starts blocking cscript.exe on some of your systems.

4/25/2018 7:13:08 AM    Symantec Endpoint Protection Client    Information    Symantec Endpoint Protection Client   NT AUTHORITY\SYSTEM    45
"Scan type: Tamper Protection
Scan Event: Tamper Protection Detection
Security risk detected: C:\WINDOWS\SYSTEM32\CSCRIPT.EXE
File: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.0.3876.1100.105\Temp\temp\get-BitLockerStatus.ps1
Location: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.0.3876.1100.105\Temp\temp"



SEP 14.x


During Windows Update, the order of file creation is new files first, certificate catalog representing these files last. During the update, created files are touched or even loaded in memory causing our protection technologies to scan. These scans result in certificate resolution, and since the catalog file is not present, we cache the unsigned state. For performance reasons, our cached result for the certificate presence (or lack thereof) is going to be retained until the file in question is modified. This causes us to not look for the certificate presence for the file because it is not modified again. This causes incorrect information about cscript.exe not being signed by Microsoft and the problems associated with it. Microsoft is aware of this issue.


Sonar Engine 11.5 resolves this issue.