Multiple noisy Tamper Protection events post upgrade to SEP 16 (ESA) from SEP 14
Article ID: 411308
Updated On:
Products
Issue/Introduction
You notice multiple noisy Tamper Protection events for legit processes post upgrade to SEP 16, while with the old SEP 14 clients on the same machines lesser events are recorded.
Here a sample of log entries on the console:
8/3/2025 3:20:43 AM +03:00 Access to process restricted: Open process/thread handle Actor: C:\Windows\System32\conhost.exe Target: C:\Program Files\Broadcom\Endpoint Security Agent\Definitions\WebExtConnectorDefs\20250519.001\webextbridge.exe
8/3/2025 3:20:55 AM +03:00 Access to process restricted: Open process/thread handle Actor: C:\Windows\System32\Taskmgr.exe Target: C:\Program Files\Broadcom\Endpoint Security Agent\2.5.0.186\bin64\ccSvcHst.exe
8/3/2025 3:20:57 AM +03:00 Access to process restricted: Open process/thread handle Actor: C:\Windows\System32\Taskmgr.exe Target: C:\Program Files\Broadcom\Endpoint Security Agent\2.5.0.186\bin64\main_ui.exe
8/3/2025 3:20:57 AM +03:00 Access to process restricted: Open process/thread handle Actor: C:\Windows\System32\Taskmgr.exe Target: C:\Program Files\Broadcom\Endpoint Security Agent\Definitions\WebExtConnectorDefs\20250519.001\webextbridge.exe
8/3/2025 3:20:59 AM +03:00 Access to process restricted: Open process/thread handle Actor: C:\Windows\System32\Taskmgr.exe Target: C:\Program Files\Broadcom\Endpoint Security Agent\Definitions\SepServiceTdadDefs\20250425.002\SETDADCollector.exe
8/3/2025 3:21:00 AM +03:00 Access to process restricted: Open process/thread handle Actor: C:\Windows\System32\Taskmgr.exe Target: C:\Program Files\Broadcom\Endpoint Security Agent\Definitions\SeaBladeAppDiscoveryDefs\20250519.001\ADScan.exe
Environment
ESA client (SEP16)
Windows OS
Cause
ESA (SEP 16) Tamper Protection is more aggressive comparing to SEP14, due to the enhanced mechanism where we do record wider range of tamper attempts e..g:
1. OpenProcess
2. OpenThread
3. DuplicateProcess
4. DuplicateThreadHandle
And many more.
Resolution
Additional Information
When an external process attempts to get a handle to a Symantec process or thread (e.g., via OpenProcess or OpenThread), Tamper Protection intercepts the request and removes high-risk access rights. This prevents actions such as:
- Terminating the process or thread.
- Suspending or resuming threads.
- Reading or writing to the process's memory (a technique used for code injection).
- Creating new threads within the process.
- Modifying the process's security permissions.
By stripping these rights, Tamper Protection neutralizes a wide range of advanced attack vectors used to disable security software, including process hollowing.
1. Enhanced File and Registry Protection
Control over protected assets is now more granular and powerful.
- File Protection:
- Protects both individual files and entire folders, with support for wildcards.
- Blocks not only modification and deletion but also specific file operations, such as opening a file with exclusive access or applying a file lock.
- Handles pending file renames (delete on reboot) to ensure files cannot be marked for deletion after a restart.
- Registry Protection:
- Protects both registry keys and specific values within those keys.
- Blocks the unauthorized creation of protected keys.
- Monitors and blocks destructive events on protected keys and values, preventing unauthorized changes.
2. Secure Process Launch Chain
To further combat process hollowing and other sophisticated injection techniques, Tamper Protection now enforces a secure launch chain. A Symantec process will only be considered authorized if it is launched by a trusted entity, such as:
- A core Windows operating system process (e.g., services.exe).
- Another Symantec process that has already passed the advanced authorization checks.
This strategy ensures that even if an attacker finds a way to start a Symantec executable, it will not be granted authorized status if it was initiated by an untrusted process, rendering it inert.
Feedback
