ShuttleDIK
asked on
WinXP SAVC 10.1.7.7000 Disable Tamper Protection service
Hi There,
I need to find out which services and executables are running for Tamper Protection in SAVC 10.1.7.7000.
I need to run some tests to determine if Tamper Protection is involved with the disabling of the Auto-Protect feature of SAV. I do not have admin access to the Symantec installations, and therefore cannot 'uncheck' the Tamper Protection box in the GUI (nor can I even see the Configuration screen when logged in as a local user). But in order to troubleshoot the problem further, I need to be able to confirm if Tamper Protection is involved or not.
Does anyone know the services and .exe's involved specifically with Tamper Protection?
THANKS!
I need to find out which services and executables are running for Tamper Protection in SAVC 10.1.7.7000.
I need to run some tests to determine if Tamper Protection is involved with the disabling of the Auto-Protect feature of SAV. I do not have admin access to the Symantec installations, and therefore cannot 'uncheck' the Tamper Protection box in the GUI (nor can I even see the Configuration screen when logged in as a local user). But in order to troubleshoot the problem further, I need to be able to confirm if Tamper Protection is involved or not.
Does anyone know the services and .exe's involved specifically with Tamper Protection?
THANKS!
Of course the tamper protection service cannot be stopped so easily.... otherwise viruses can tamper easily disabling the service first.
The service can remain started but tamper protection can be disabled - no problems.
It would be nice to have 2 GRC.DAT -- one with the settings of all the clients having the tamper protection enabled and 1 with the tamper protection disabled -- you can check the differences and u find the registry key you can disable
The service can remain started but tamper protection can be disabled - no problems.
It would be nice to have 2 GRC.DAT -- one with the settings of all the clients having the tamper protection enabled and 1 with the tamper protection disabled -- you can check the differences and u find the registry key you can disable
ASKER
Thanks for the response! Sorry if I'm too much of a Noob on SAV settings, but I'm certainly getting my feet wet on this task. I appreciate the opportunity to learn.
I'm finding a plethora of registry listings with "Symprotect" in them and I don't want to indiscriminantly start shooting those down. The snippet has the section of the GRC.DAT file that seems to pertain to SymProtect. So would I apply any change to this file and then the results would appear in the registry, or do I have to research which specific registry keys are being called & manually change all those in regedit?
Thanks!
-Dik
I'm finding a plethora of registry listings with "Symprotect" in them and I don't want to indiscriminantly start shooting those down. The snippet has the section of the GRC.DAT file that seems to pertain to SymProtect. So would I apply any change to this file and then the results would appear in the registry, or do I have to research which specific registry keys are being called & manually change all those in regedit?
Thanks!
-Dik
!KEY!=$REGROOT$\Storages\SymProtect
!KEY!=$REGROOT$\Storages\SymProtect\RealTimeScan
NotifyEventA=D45
MessageText=SSYMANTEC TAMPER PROTECTION ALERT\n\nTarget: ~Q\nEvent Info: ~H ~J\nAction Taken: ~G\nActor Process: ~M (PID ~K)\nTime: ~T
LogInfectionText=SSYMANTEC TAMPER PROTECTION ALERT\n\nTarget: ~Q\nEvent Info: ~H ~J\nAction Taken: ~G\nActor Process: ~M (PID ~K)\nTime: ~T
!Disabled=D1
ProtectionProcess=D1
ProtectionNamedObject=D1
ProtectStandalone=D0
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I hear ya, ping. I greatly appreciate your support.
And just for your assurance, I'm not trying to disable SAVC for surreptitious purposes. I'm not even trying to disable SAVC. I'm trying to research for the people managing our SAVC on how or why our local users are getting SAVC disabled while the local Admins aren't.
Aaaah office politics.
And just for your assurance, I'm not trying to disable SAVC for surreptitious purposes. I'm not even trying to disable SAVC. I'm trying to research for the people managing our SAVC on how or why our local users are getting SAVC disabled while the local Admins aren't.
Aaaah office politics.
Why it gets disabled.... there is the debug function in SAV to enable in the registry.
It creates a LOT of data and for sure there is everything written there. Anyway you should know "when" it happens, and then you can enable the log there. It's called VPdebug... in the registry you have to put the value "ALL" and delete the "ALL" to stop the debug.
Anyway tech support... it's not so good, but if you find the right words they can try to help you.
You can say "oohhh, please help me... I can lose my job, a lot of pressure" ... if you act with please please you have much more possibilities than somebody angry.
And I suggest you to call from 9AM to 16:00 GMT+1 - if it is possible ask to be transferred to some Engineer in Warsaw :) Cannot say more.
If you get it resolved, please let me know. I am curious to know.
Best Regards
It creates a LOT of data and for sure there is everything written there. Anyway you should know "when" it happens, and then you can enable the log there. It's called VPdebug... in the registry you have to put the value "ALL" and delete the "ALL" to stop the debug.
Anyway tech support... it's not so good, but if you find the right words they can try to help you.
You can say "oohhh, please help me... I can lose my job, a lot of pressure" ... if you act with please please you have much more possibilities than somebody angry.
And I suggest you to call from 9AM to 16:00 GMT+1 - if it is possible ask to be transferred to some Engineer in Warsaw :) Cannot say more.
If you get it resolved, please let me know. I am curious to know.
Best Regards
ASKER
Hi, I've got a bit of follow up.
I haven't yet started the debug process, though I will today.
But I've found that if I put Domain Users to the Local Power Users group, then the Auto-Protect stays enabled - even after I switch Domain Users back to the regular Local Users group. That is, until whatever process is disabling it reoccurrs - which is about once every one or two days. Again, I'll start debugging a couple machines to see what is triggering it exactly (hopefully).
Thanks again! The registry info was very helpful.
I haven't yet started the debug process, though I will today.
But I've found that if I put Domain Users to the Local Power Users group, then the Auto-Protect stays enabled - even after I switch Domain Users back to the regular Local Users group. That is, until whatever process is disabling it reoccurrs - which is about once every one or two days. Again, I'll start debugging a couple machines to see what is triggering it exactly (hopefully).
Thanks again! The registry info was very helpful.
If I remember well there is also a 1 to change to 0 on the registry, and even if you are not the Admin you can disable Tamper Protection as change everything you want in the registry.
I think it is something like ... symprotect...