A process is triggering a Symantec Endpoint Protection (SEP) Tamper Protection alert. Is there cause for concern?
On your computer you receive a pop-up alert from Symantec Endpoint Protection regarding a Tamper Protection alert, or in event logs there is Event ID 45: Tamper Protection is logged.
Tamper Protection events may be caused by malware or may be caused by legitimate software which tries to access files and registry keys used by SEP.
In the alert you should firstly identify the Target, the Actor Process and the Action Taken. The Target is the process which is being attacked. The Actor Process is process that is doing the attacking. The Action Taken is the action that Tamper Protection performed to respond to the attack.
Next consider if the Actor Process is a valid process or could it be suspicious?
If you suspect the Actor Process could be a potential threat to your environment, you should submit the suspicious process to Symantec Security Response for analysis. For information on how to submit a file to Security Response this please read How to Use the Web Submission Process.
You should also run a Full System Scan with the latest definitions and check if there are any Risks being detected by your AntiVirus product in the Risk History/Log
Imported Document ID: TECH97931
Subscribing will provide email updates when this Article is updated. Login is required.