This article is the eighth installment in an on-going series of articles on how to utilize SEP 12.1 for Incident Response. Links to the previous seven are below:
- How to utilize SEP 12.1 for Incident Response - PART 1
- How to utilize SEP 12.1 for Incident Response - PART 2
- How to utilize SEP 12.1 for Incident Response - PART 3
- How to utilize SEP 12.1 for Incident Response - PART 4
- How to utilize SEP 12.1 for Incident Response - PART 5
- How to utilize SEP 12.1 for Incident Response - PART 6
- How to utilize SEP 12.1 for Incident Response - PART 7
In this article I will explain and demonstrate the purpose of Tamper Protection in an incident response situation. What is Tamper Protection? Tamper Protection provides real-time protection against non-Symantec processes which may attempt to 'tamper' with Symantec resources, such as processes or registry keys. Having this feature enabled, especially during an Incident Response situation, can be a key to identifying potential attacks / infection points.
To enable Tamper Protection login to the SEPM and access the Clients page. Select the group you would like to enable Tamper Protection for and select the Policies tab. Select the 'General Settings' link under Policies. Select the 'Tamper Protection' tab. Finally, tick the box for 'Protect Symantec security software from being tampered with or shut down' and close the lock icon. Set the Actions to take to 'Block and log' and close the lock icon.
Once your changes have been saved, ensure that the serial number on the client matches up to what shows in the SEPM and you should be set.
Now comes the part where you monitor the logs to determine if any unknown processes are attempting to 'tamper' with the SEP client.
In order to access the Tamper Protection logs, do the following:
1) Select Monitors tab
2) Set Log Type to 'Application and Device Control'
3) Set Log Content to 'Application Control'
4) Select Advanced Settings
5) Set Event Type to 'Tamper Protection'
6) Set Action to 'Block'
7) Select View Log
Right off the bat we can see the regedit.exe process attempting to change a specific registry key belonging to SEP. Further investigation revealed that it was trying to stop the SMC engine.
A second log was also found to show an unknown process attempting to terminate the ccSvcHst.exe process, which belongs to SEP. Further investigation showed that the machine was infected with malware that was attempting to disable known processes of various AV products.
In both cases, Tamper Protection was able to help identify the root of the problem. This is an excellent feature to incorporate into your SEP arsenal when dealing with an Incident Response situation. I would highly recommend enabling it.
Please leave any comments or questions below. Are there any other features you would like to see showcased in an article? Drop me a PM.