There are tamper alerts regarding a Java (jqs.exe) process on client machines since Symantec Endpoint Protection (SEP) has been upgraded from 11.0 to 12.1. This does not occur on all clients.
Tamper protection is configured to "Block".
The file has been submitted to Security Response and it is clean.
JQS.exe try to reach SEP processes (i.e. ccSvcHst.exe, smc.exe), but not stopping them. This may be an incompatibility between JQS.exe and SEP 12.1.
- Go to JQS.exe from Control Panel > Java > Advanced > Misc. and uncheck Java Quick Starter
- Create Centralized Exception to exclude JQS.exe from Tamper detection:
Log in to the SEPM (Symantec Endpoint Protection Manager)
Go to Policies -> Centralized Exceptions -> Add a Centralized Exception Policy
Click on Centralized Exceptions
Click on Add -> Windows Exception -> Tamper Protection Exception
Choose Prefix: [PROGRAM_FILES] and write to File: \Java\JRE6\BIN\JQS.EXE
Windows XP computer with SEP 12.1 and Java 1.6 u26.
What is JQS?
JavaTM Quick Starter
Java Quick Starter (JQS), introduced in the Java SE 6 update 10 release, improves the initial startup time of Java applets and applications by periodically prefetching some of the most heavily used Java Runtime Environment files into memory (occupying no more than 20Mb of RAM). Later, when Java is launched, much less disk I/O is required and as a result, startup is much faster.
JQS is enabled by default in the Windows 2000 and Windows XP operating systems running on x86 (IA-32) or compatible hardware. It is turned off in Windows Vista because Windows Vista offers its own preloading mechanisms. When fully enabled, JQS runs as a Windows service called Java Quick Starter. The Task Manager shows a jqs.exe process.
The JQS service will perform runtime checks to determine if the system is running on battery power. If so, prefetching will be suspended until AC power is restored. This scenario is most common on laptop PCs.