Carbon Black Cloud: Tamper Protection blocks Symantec Endpoint Protection injections resulting in repcli.exe failing to run.
book
Article ID: 289173
calendar_today
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Tamper Protection blocks injection by Symantec Endpoint Protection, resulting in scanhost.exe, repux.exe, and repcli.exe all failing to run
Environment
Carbon Black Cloud Console: All Versions
Carbon Black Cloud Sensor: 3.7.x and Lower
Microsoft Windows: All Supported Versions
Symantec Endpoint Protection: All Versions
Cause
Symantec Endpoint Protection Sysfer.dll is being injected through IMPORT directory modification. Sysplant.sys is adding the sysfer.dll entry into import directory during the Image load notification of the main module and removes the entry during the image load notification of sysfer.dll. CB Cloud Sensor responds by having tamper protection block the sysfer.dll load.
Resolution
This behavior has been fixed in the 3.8.0.398 CB Cloud Windows Sensor.