Solved

WinXP SAVC 10.1.7.7000 Disable Tamper Protection service

Posted on 2009-04-10
7
1,444 Views
Last Modified: 2013-12-09
Hi There,

I need to find out which services and executables are running for Tamper Protection in SAVC 10.1.7.7000.  

I need to run some tests to determine if Tamper Protection is involved with the disabling of the Auto-Protect feature of SAV.  I do not have admin access to the Symantec installations, and therefore cannot 'uncheck' the Tamper Protection box in the GUI (nor can I even see the Configuration screen when logged in as a local user).  But in order to troubleshoot the problem further, I need to be able to confirm if Tamper Protection is involved or not.

Does anyone know the services and .exe's involved specifically with Tamper Protection?

THANKS!
0
Comment
Question by:ShuttleDIK
  • 4
  • 3
7 Comments
 
LVL 5

Expert Comment

by:ping_it
ID: 24118861
The tamper protection service is SPBBCSvc.exe.

If I remember well there is also a 1 to change to 0 on the registry, and even if you are not the Admin you can disable Tamper Protection as change everything you want in the registry.

I think it is something like ... symprotect...
0
 
LVL 5

Expert Comment

by:ping_it
ID: 24118915
Of course the tamper protection service cannot be stopped so easily.... otherwise viruses can tamper easily disabling the service first.

The service can remain started but tamper protection can be disabled - no problems.

It would be nice to have 2 GRC.DAT --  one with the settings of all the clients having the tamper protection enabled and 1 with the tamper protection disabled --  you can check the differences and u find the registry key you can disable
0
 

Author Comment

by:ShuttleDIK
ID: 24129787
Thanks for the response!  Sorry if I'm too much of a Noob on SAV settings, but I'm certainly getting my feet wet on this task.  I appreciate the opportunity to learn.

I'm finding a plethora of registry listings with "Symprotect" in them and I don't want to indiscriminantly start shooting those down. The snippet has the section of the GRC.DAT file that seems to pertain to SymProtect.  So would I apply any change to this file and then the results would appear in the registry, or do I have to research which specific registry keys are being called & manually change all those in regedit?

Thanks!  

-Dik
!KEY!=$REGROOT$\Storages\SymProtect

!KEY!=$REGROOT$\Storages\SymProtect\RealTimeScan

NotifyEventA=D45

MessageText=SSYMANTEC TAMPER PROTECTION ALERT\n\nTarget:  ~Q\nEvent Info:  ~H ~J\nAction Taken:  ~G\nActor Process:  ~M (PID ~K)\nTime:  ~T

LogInfectionText=SSYMANTEC TAMPER PROTECTION ALERT\n\nTarget:  ~Q\nEvent Info:  ~H ~J\nAction Taken:  ~G\nActor Process:  ~M (PID ~K)\nTime:  ~T

!Disabled=D1

ProtectionProcess=D1

ProtectionNamedObject=D1

ProtectStandalone=D0

Open in new window

0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 5

Accepted Solution

by:
ping_it earned 250 total points
ID: 24130040
If it's on a machine - not server, you don't risk anything about changing those values, the important thing is that you change back to the value they had, if they do not work.

I do not have the possibility to try this, and I don't remember what needs to be changed, and I don't want any responsibilities.

I suggest you to call the Symantec Tech support and ask this to them. I suggest you also to not say to the GCSS (the people who pick up the phone) what you want. Please say that you just would like to disable the tamper protection, don't give many details otherwise if they find it difficult, they don't take the "case" fast :) So they think it's easy and then you'll ask the difficult question.

Another thing... please tell them to LOOK on their INTERNAL KBs, because they DO have those informations. They are the same registry keys as the older SAV 10.1.X versions.

Best Regards

0
 

Author Closing Comment

by:ShuttleDIK
ID: 31569039
I hear ya, ping.  I greatly appreciate your support.

And just for your assurance, I'm not trying to disable SAVC for surreptitious purposes.  I'm not even trying to disable SAVC.  I'm trying to research for the people managing our SAVC on how or why our local users are getting SAVC disabled while the local Admins aren't.

Aaaah office politics.
0
 
LVL 5

Expert Comment

by:ping_it
ID: 24130495
Why it gets disabled.... there is the debug function in SAV to enable in the registry.

It creates a LOT of data and for sure there is everything written there. Anyway you should know "when" it happens, and then you can enable the log there. It's called VPdebug... in the registry you have to put the value "ALL" and delete the "ALL" to stop the debug.

Anyway tech support... it's not so good,  but if you find the right words they can try to help you.

You can say "oohhh, please help me... I can lose my job, a lot of pressure" ... if you act with please please you have much more possibilities than somebody angry.

And I suggest you to call from 9AM to 16:00 GMT+1 - if it is possible ask to be transferred to some Engineer in Warsaw :) Cannot say more.

If you get it resolved, please let me know. I am curious to know.

Best Regards
0
 

Author Comment

by:ShuttleDIK
ID: 24216178
Hi,  I've got a bit of follow up.

I haven't yet started the debug process, though I will today.  

But I've found that if I put Domain Users to the Local Power Users group, then the Auto-Protect stays enabled - even after I switch Domain Users back to the regular Local Users group.  That is, until whatever process is disabling it reoccurrs - which is about once every one or two days.  Again, I'll start debugging a couple machines to see what is triggering it exactly (hopefully).

Thanks again!  The registry info was very helpful.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

As more computers now shipped with 64-bit version of Windows, more users are now using this Operating System.  So it's important to be aware how some 32-bit diagnostic tool works on these systems, so we know what to expect when analyzing the logs an…
These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
This video discusses moving either the default database or any database to a new volume.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now