• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1482
  • Last Modified:

WinXP SAVC Disable Tamper Protection service

Hi There,

I need to find out which services and executables are running for Tamper Protection in SAVC  

I need to run some tests to determine if Tamper Protection is involved with the disabling of the Auto-Protect feature of SAV.  I do not have admin access to the Symantec installations, and therefore cannot 'uncheck' the Tamper Protection box in the GUI (nor can I even see the Configuration screen when logged in as a local user).  But in order to troubleshoot the problem further, I need to be able to confirm if Tamper Protection is involved or not.

Does anyone know the services and .exe's involved specifically with Tamper Protection?

  • 4
  • 3
1 Solution
The tamper protection service is SPBBCSvc.exe.

If I remember well there is also a 1 to change to 0 on the registry, and even if you are not the Admin you can disable Tamper Protection as change everything you want in the registry.

I think it is something like ... symprotect...
Of course the tamper protection service cannot be stopped so easily.... otherwise viruses can tamper easily disabling the service first.

The service can remain started but tamper protection can be disabled - no problems.

It would be nice to have 2 GRC.DAT --  one with the settings of all the clients having the tamper protection enabled and 1 with the tamper protection disabled --  you can check the differences and u find the registry key you can disable
ShuttleDIKAuthor Commented:
Thanks for the response!  Sorry if I'm too much of a Noob on SAV settings, but I'm certainly getting my feet wet on this task.  I appreciate the opportunity to learn.

I'm finding a plethora of registry listings with "Symprotect" in them and I don't want to indiscriminantly start shooting those down. The snippet has the section of the GRC.DAT file that seems to pertain to SymProtect.  So would I apply any change to this file and then the results would appear in the registry, or do I have to research which specific registry keys are being called & manually change all those in regedit?


MessageText=SSYMANTEC TAMPER PROTECTION ALERT\n\nTarget:  ~Q\nEvent Info:  ~H ~J\nAction Taken:  ~G\nActor Process:  ~M (PID ~K)\nTime:  ~T
LogInfectionText=SSYMANTEC TAMPER PROTECTION ALERT\n\nTarget:  ~Q\nEvent Info:  ~H ~J\nAction Taken:  ~G\nActor Process:  ~M (PID ~K)\nTime:  ~T

Open in new window

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

If it's on a machine - not server, you don't risk anything about changing those values, the important thing is that you change back to the value they had, if they do not work.

I do not have the possibility to try this, and I don't remember what needs to be changed, and I don't want any responsibilities.

I suggest you to call the Symantec Tech support and ask this to them. I suggest you also to not say to the GCSS (the people who pick up the phone) what you want. Please say that you just would like to disable the tamper protection, don't give many details otherwise if they find it difficult, they don't take the "case" fast :) So they think it's easy and then you'll ask the difficult question.

Another thing... please tell them to LOOK on their INTERNAL KBs, because they DO have those informations. They are the same registry keys as the older SAV 10.1.X versions.

Best Regards

ShuttleDIKAuthor Commented:
I hear ya, ping.  I greatly appreciate your support.

And just for your assurance, I'm not trying to disable SAVC for surreptitious purposes.  I'm not even trying to disable SAVC.  I'm trying to research for the people managing our SAVC on how or why our local users are getting SAVC disabled while the local Admins aren't.

Aaaah office politics.
Why it gets disabled.... there is the debug function in SAV to enable in the registry.

It creates a LOT of data and for sure there is everything written there. Anyway you should know "when" it happens, and then you can enable the log there. It's called VPdebug... in the registry you have to put the value "ALL" and delete the "ALL" to stop the debug.

Anyway tech support... it's not so good,  but if you find the right words they can try to help you.

You can say "oohhh, please help me... I can lose my job, a lot of pressure" ... if you act with please please you have much more possibilities than somebody angry.

And I suggest you to call from 9AM to 16:00 GMT+1 - if it is possible ask to be transferred to some Engineer in Warsaw :) Cannot say more.

If you get it resolved, please let me know. I am curious to know.

Best Regards
ShuttleDIKAuthor Commented:
Hi,  I've got a bit of follow up.

I haven't yet started the debug process, though I will today.  

But I've found that if I put Domain Users to the Local Power Users group, then the Auto-Protect stays enabled - even after I switch Domain Users back to the regular Local Users group.  That is, until whatever process is disabling it reoccurrs - which is about once every one or two days.  Again, I'll start debugging a couple machines to see what is triggering it exactly (hopefully).

Thanks again!  The registry info was very helpful.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now