What should I do when I get a Tamper Protection Alert?

book

Article ID: 178121

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

A process is triggering a Symantec Endpoint Protection (SEP) Tamper Protection alert.  Is there cause for concern?

 

 

Symptoms

On your computer you receive a pop-up alert from Symantec Endpoint Protection regarding a Tamper Protection alert, or in event logs there is Event ID 45: Tamper Protection is logged.

 

Resolution

Tamper Protection events may be caused by malware or may be caused by legitimate software which tries to access files and registry keys used by SEP. 

 

  1. In the alert you should firstly identify the Target, the Actor Process and the Action Taken.
    The Target is the process which is being attacked.
    The Actor Process is process that is doing the attacking.
    The Action Taken is the action that Tamper Protection performed to respond to the attack.
     
  2. Next consider if the Actor Process is a valid process or could it be suspicious?
     
  3. If the Actor Process is a legitimate process:

    If you are using Symantec Endpoint Protection (SEP) you might want to consider adding a Tamper Protection exclusion. For more information please read Creating a Tamper Protection exception on Windows clients. Alternatively you can also change the actions taken on the event. In SEP you can set the action to "log the event only."  See Changing Tamper Protection settings.
     
  4. If you suspect the Actor Process could be a potential threat to your environment, you should submit the suspicious process to Symantec Security Response for analysis. For information on how to submit a file to Security Response this please read How to Use the Web Submission Process.

    You should also run a Full System Scan with the latest definitions and check if there are any Risks being detected by your AntiVirus product in the Risk History/Log