Solved

WinXP SAVC 10.1.7.7000 Disable Tamper Protection service

Posted on 2009-04-10
7
1,460 Views
Last Modified: 2013-12-09
Hi There,

I need to find out which services and executables are running for Tamper Protection in SAVC 10.1.7.7000.  

I need to run some tests to determine if Tamper Protection is involved with the disabling of the Auto-Protect feature of SAV.  I do not have admin access to the Symantec installations, and therefore cannot 'uncheck' the Tamper Protection box in the GUI (nor can I even see the Configuration screen when logged in as a local user).  But in order to troubleshoot the problem further, I need to be able to confirm if Tamper Protection is involved or not.

Does anyone know the services and .exe's involved specifically with Tamper Protection?

THANKS!
0
Comment
Question by:ShuttleDIK
  • 4
  • 3
7 Comments
 
LVL 5

Expert Comment

by:ping_it
ID: 24118861
The tamper protection service is SPBBCSvc.exe.

If I remember well there is also a 1 to change to 0 on the registry, and even if you are not the Admin you can disable Tamper Protection as change everything you want in the registry.

I think it is something like ... symprotect...
0
 
LVL 5

Expert Comment

by:ping_it
ID: 24118915
Of course the tamper protection service cannot be stopped so easily.... otherwise viruses can tamper easily disabling the service first.

The service can remain started but tamper protection can be disabled - no problems.

It would be nice to have 2 GRC.DAT --  one with the settings of all the clients having the tamper protection enabled and 1 with the tamper protection disabled --  you can check the differences and u find the registry key you can disable
0
 

Author Comment

by:ShuttleDIK
ID: 24129787
Thanks for the response!  Sorry if I'm too much of a Noob on SAV settings, but I'm certainly getting my feet wet on this task.  I appreciate the opportunity to learn.

I'm finding a plethora of registry listings with "Symprotect" in them and I don't want to indiscriminantly start shooting those down. The snippet has the section of the GRC.DAT file that seems to pertain to SymProtect.  So would I apply any change to this file and then the results would appear in the registry, or do I have to research which specific registry keys are being called & manually change all those in regedit?

Thanks!  

-Dik
!KEY!=$REGROOT$\Storages\SymProtect
!KEY!=$REGROOT$\Storages\SymProtect\RealTimeScan
NotifyEventA=D45
MessageText=SSYMANTEC TAMPER PROTECTION ALERT\n\nTarget:  ~Q\nEvent Info:  ~H ~J\nAction Taken:  ~G\nActor Process:  ~M (PID ~K)\nTime:  ~T
LogInfectionText=SSYMANTEC TAMPER PROTECTION ALERT\n\nTarget:  ~Q\nEvent Info:  ~H ~J\nAction Taken:  ~G\nActor Process:  ~M (PID ~K)\nTime:  ~T
!Disabled=D1
ProtectionProcess=D1
ProtectionNamedObject=D1
ProtectStandalone=D0

Open in new window

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Accepted Solution

by:
ping_it earned 250 total points
ID: 24130040
If it's on a machine - not server, you don't risk anything about changing those values, the important thing is that you change back to the value they had, if they do not work.

I do not have the possibility to try this, and I don't remember what needs to be changed, and I don't want any responsibilities.

I suggest you to call the Symantec Tech support and ask this to them. I suggest you also to not say to the GCSS (the people who pick up the phone) what you want. Please say that you just would like to disable the tamper protection, don't give many details otherwise if they find it difficult, they don't take the "case" fast :) So they think it's easy and then you'll ask the difficult question.

Another thing... please tell them to LOOK on their INTERNAL KBs, because they DO have those informations. They are the same registry keys as the older SAV 10.1.X versions.

Best Regards

0
 

Author Closing Comment

by:ShuttleDIK
ID: 31569039
I hear ya, ping.  I greatly appreciate your support.

And just for your assurance, I'm not trying to disable SAVC for surreptitious purposes.  I'm not even trying to disable SAVC.  I'm trying to research for the people managing our SAVC on how or why our local users are getting SAVC disabled while the local Admins aren't.

Aaaah office politics.
0
 
LVL 5

Expert Comment

by:ping_it
ID: 24130495
Why it gets disabled.... there is the debug function in SAV to enable in the registry.

It creates a LOT of data and for sure there is everything written there. Anyway you should know "when" it happens, and then you can enable the log there. It's called VPdebug... in the registry you have to put the value "ALL" and delete the "ALL" to stop the debug.

Anyway tech support... it's not so good,  but if you find the right words they can try to help you.

You can say "oohhh, please help me... I can lose my job, a lot of pressure" ... if you act with please please you have much more possibilities than somebody angry.

And I suggest you to call from 9AM to 16:00 GMT+1 - if it is possible ask to be transferred to some Engineer in Warsaw :) Cannot say more.

If you get it resolved, please let me know. I am curious to know.

Best Regards
0
 

Author Comment

by:ShuttleDIK
ID: 24216178
Hi,  I've got a bit of follow up.

I haven't yet started the debug process, though I will today.  

But I've found that if I put Domain Users to the Local Power Users group, then the Auto-Protect stays enabled - even after I switch Domain Users back to the regular Local Users group.  That is, until whatever process is disabling it reoccurrs - which is about once every one or two days.  Again, I'll start debugging a couple machines to see what is triggering it exactly (hopefully).

Thanks again!  The registry info was very helpful.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Full list of ransomwares to date 6 140
How to harden IE & Firefox such that users cant uncheck the proxy 3 76
Videos Blocked on espn.com 7 285
Ransomeware 11 167
So you got the Conficker. You could go to each machine and run the eye chart test (http://www.confickerworkinggroup.org/infection_test/cfeyechart.html), but in a bigger environment, or if you prefer to work smarter and not harder, you need some …
PREFACE The purpose of this guide is to explain what the SEPC Status Utility is and how it works. I have written the utility using AutoIt and have included the source code for your review. You are welcome to modify the code to your liking, but I wi…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question