TDAD - Coexistence with Core Isolation
search cancel

TDAD - Coexistence with Core Isolation

book

Article ID: 276572

calendar_today

Updated On:

Products

Endpoint Threat Defense for Active Directory Endpoint Security Complete

Issue/Introduction

Windows 10 and 11 have Core Isolation Memory Integrity feature that might prevent TDAD from functioning correctly.

For TDAD's "Block LSASS memory attacks" and "Enable deception account in LSASS" to function properly, it needs to inject itself into the LSASS.exe process.

Environment

Windows 10 and 11.

Cause

Memory Integrity feature uses Hypervisor Code Integrity based security to move critical/core OS processes to an isolated virtual secure mode. Basically these critical processes run in a separate VM. 
HVCI mode does not take lsass.exe into the secure VM 

Resolution

  • For SEP 14.3 RU8 and newer. 
Please create the below DWORD:
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\Tdad]
"CICoexistence"=dword:00000001
 
  • For SEP version below 14.3 RU8, please disable Core Isolation Memory Integrity :
 
Powered by Wolken Software