Go Premium for a chance to win a PS4. Enter to Win


WinXP SAVC Disable Tamper Protection service

Posted on 2009-04-10
Medium Priority
Last Modified: 2013-12-09
Hi There,

I need to find out which services and executables are running for Tamper Protection in SAVC  

I need to run some tests to determine if Tamper Protection is involved with the disabling of the Auto-Protect feature of SAV.  I do not have admin access to the Symantec installations, and therefore cannot 'uncheck' the Tamper Protection box in the GUI (nor can I even see the Configuration screen when logged in as a local user).  But in order to troubleshoot the problem further, I need to be able to confirm if Tamper Protection is involved or not.

Does anyone know the services and .exe's involved specifically with Tamper Protection?

Question by:ShuttleDIK
  • 4
  • 3

Expert Comment

ID: 24118861
The tamper protection service is SPBBCSvc.exe.

If I remember well there is also a 1 to change to 0 on the registry, and even if you are not the Admin you can disable Tamper Protection as change everything you want in the registry.

I think it is something like ... symprotect...

Expert Comment

ID: 24118915
Of course the tamper protection service cannot be stopped so easily.... otherwise viruses can tamper easily disabling the service first.

The service can remain started but tamper protection can be disabled - no problems.

It would be nice to have 2 GRC.DAT --  one with the settings of all the clients having the tamper protection enabled and 1 with the tamper protection disabled --  you can check the differences and u find the registry key you can disable

Author Comment

ID: 24129787
Thanks for the response!  Sorry if I'm too much of a Noob on SAV settings, but I'm certainly getting my feet wet on this task.  I appreciate the opportunity to learn.

I'm finding a plethora of registry listings with "Symprotect" in them and I don't want to indiscriminantly start shooting those down. The snippet has the section of the GRC.DAT file that seems to pertain to SymProtect.  So would I apply any change to this file and then the results would appear in the registry, or do I have to research which specific registry keys are being called & manually change all those in regedit?


MessageText=SSYMANTEC TAMPER PROTECTION ALERT\n\nTarget:  ~Q\nEvent Info:  ~H ~J\nAction Taken:  ~G\nActor Process:  ~M (PID ~K)\nTime:  ~T
LogInfectionText=SSYMANTEC TAMPER PROTECTION ALERT\n\nTarget:  ~Q\nEvent Info:  ~H ~J\nAction Taken:  ~G\nActor Process:  ~M (PID ~K)\nTime:  ~T

Open in new window

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.


Accepted Solution

ping_it earned 750 total points
ID: 24130040
If it's on a machine - not server, you don't risk anything about changing those values, the important thing is that you change back to the value they had, if they do not work.

I do not have the possibility to try this, and I don't remember what needs to be changed, and I don't want any responsibilities.

I suggest you to call the Symantec Tech support and ask this to them. I suggest you also to not say to the GCSS (the people who pick up the phone) what you want. Please say that you just would like to disable the tamper protection, don't give many details otherwise if they find it difficult, they don't take the "case" fast :) So they think it's easy and then you'll ask the difficult question.

Another thing... please tell them to LOOK on their INTERNAL KBs, because they DO have those informations. They are the same registry keys as the older SAV 10.1.X versions.

Best Regards


Author Closing Comment

ID: 31569039
I hear ya, ping.  I greatly appreciate your support.

And just for your assurance, I'm not trying to disable SAVC for surreptitious purposes.  I'm not even trying to disable SAVC.  I'm trying to research for the people managing our SAVC on how or why our local users are getting SAVC disabled while the local Admins aren't.

Aaaah office politics.

Expert Comment

ID: 24130495
Why it gets disabled.... there is the debug function in SAV to enable in the registry.

It creates a LOT of data and for sure there is everything written there. Anyway you should know "when" it happens, and then you can enable the log there. It's called VPdebug... in the registry you have to put the value "ALL" and delete the "ALL" to stop the debug.

Anyway tech support... it's not so good,  but if you find the right words they can try to help you.

You can say "oohhh, please help me... I can lose my job, a lot of pressure" ... if you act with please please you have much more possibilities than somebody angry.

And I suggest you to call from 9AM to 16:00 GMT+1 - if it is possible ask to be transferred to some Engineer in Warsaw :) Cannot say more.

If you get it resolved, please let me know. I am curious to know.

Best Regards

Author Comment

ID: 24216178
Hi,  I've got a bit of follow up.

I haven't yet started the debug process, though I will today.  

But I've found that if I put Domain Users to the Local Power Users group, then the Auto-Protect stays enabled - even after I switch Domain Users back to the regular Local Users group.  That is, until whatever process is disabling it reoccurrs - which is about once every one or two days.  Again, I'll start debugging a couple machines to see what is triggering it exactly (hopefully).

Thanks again!  The registry info was very helpful.

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Change your password...do it now!. Probably the easiest point of access to your account is through guessing your password. If your password is guessable, do change it now. If not for your sake but for everyone else in your friends list. Remember …
The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question