Carbon Black Cloud: Tamper Protection blocks Symantec Endpoint Protection injections resulting in repcli.exe failing to run.
search cancel

Carbon Black Cloud: Tamper Protection blocks Symantec Endpoint Protection injections resulting in repcli.exe failing to run.

book

Article ID: 289173

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Tamper Protection blocks injection by Symantec Endpoint Protection, resulting in scanhost.exe, repux.exe, and repcli.exe all failing to run

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: 3.7.x and Lower
  • Microsoft Windows: All Supported Versions
  • Symantec Endpoint Protection: All Versions

Cause

Symantec Endpoint Protection Sysfer.dll is being injected through IMPORT directory modification. Sysplant.sys is adding the sysfer.dll entry into import directory during the Image load notification of the main module and removes the entry during the image load notification of sysfer.dll. CB Cloud Sensor responds by having tamper protection block the sysfer.dll load.

Resolution

This behavior has been fixed in the 3.8.0.398 CB Cloud Windows Sensor.