PL 5.0.0.49 and Symantec Endpoint Protection 11.0.700 dont work

Started by jslegers, September 29, 2011, 07:26:33 AM

Previous topic - Next topic

jslegers

Hi,

I'm testing SEP 11.0.7000 on a XP machine with Process Lasso 5.0.0.49 Free Edition. Symantec gives these messages during start-up :

SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
Event Info:  Suspend Thread
Action Taken:  Logged
Actor Process:  C:\Program Files\Process Lasso\ProcessLasso.exe (PID 1840)
Time:  Thursday, September 29, 2011  1:20:56 PM

SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\SavUI.exe
Event Info:  Suspend Thread
Action Taken:  Logged
Actor Process:  C:\Program Files\Process Lasso\ProcessLasso.exe (PID 1840)
Time:  Thursday, September 29, 2011  1:20:57 PM

SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\SavUI.exe
Event Info:  Resume Thread
Action Taken:  Logged
Actor Process:  C:\Program Files\Process Lasso\ProcessLasso.exe (PID 1840)
Time:  Thursday, September 29, 2011  1:20:57 PM

SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
Event Info:  Resume Thread
Action Taken:  Logged
Actor Process:  C:\Program Files\Process Lasso\ProcessLasso.exe (PID 1840)
Time:  Thursday, September 29, 2011  1:20:57 PM

SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Event Info:  Resume Thread
Action Taken:  Logged
Actor Process:  C:\Program Files\Process Lasso\ProcessLasso.exe (PID 1840)
Time:  Thursday, September 29, 2011  1:20:57 PM

SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Event Info:  Suspend Thread
Action Taken:  Logged
Actor Process:  C:\Program Files\Process Lasso\ProcessLasso.exe (PID 1840)
Time:  Thursday, September 29, 2011  1:20:57 PM

SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\DoScan.exe
Event Info:  Resume Thread
Action Taken:  Logged
Actor Process:  C:\Program Files\Process Lasso\ProcessLasso.exe (PID 1840)
Time:  Thursday, September 29, 2011  1:20:57 PM

SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\DoScan.exe
Event Info:  Suspend Thread
Action Taken:  Logged
Actor Process:  C:\Program Files\Process Lasso\ProcessLasso.exe (PID 1840)
Time:  Thursday, September 29, 2011  1:20:57 PM

SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
Event Info:  Resume Thread
Action Taken:  Logged
Actor Process:  C:\Program Files\Process Lasso\ProcessLasso.exe (PID 1840)
Time:  Thursday, September 29, 2011  1:20:56 PM

SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
Event Info:  Suspend Thread
Action Taken:  Logged
Actor Process:  C:\Program Files\Process Lasso\ProcessLasso.exe (PID 1840)
Time:  Thursday, September 29, 2011  1:20:56 PM

Is this a known issue ?

Jeremy Collake

#1
This has been reported to a Symantec Engineer, to which we hope an expedient resolution results. I am also looking into addressing it from this end (as I have in the past) by completely avoiding touching their processes in the slightest.

This is no 'big deal' though and their Tamper Protection System 'goes off' quite frequently it seems. The present recommendation is to turn off TPS if this causes trouble for you -- until a resolution is reached by either party.

Very sorry!
Software Engineer. Bitsum LLC.

Jeremy Collake

I do have a temporary work-around on this end, again excluding their processes totally. I will release it shortly, if needed. How bothersome is this? Can you wait days, or do you need a solution now? Of course, turning off TPS does also provide an alternate (slightly more risky) solution.
Software Engineer. Bitsum LLC.

Jeremy Collake

#3
I have both a permanent fix that allows listing and management of Symantec processes instead of just avoidance, but it will need some beta testing.

I have an immediate fix to avoid these additional processes.
Software Engineer. Bitsum LLC.

Jeremy Collake

(post updated above): Updated plan of action - immediate fix to be released as v5.00.50. The better solution requires more testing. It would likely be fine, but I do not want to risk it.
Software Engineer. Bitsum LLC.

Jeremy Collake

Has anyone tested the beta with SEP? It handles these processes much differently, now listing them. I'd appreciate it if anyone could give me a real world test. My trials of these products keep expiring, and it is hard to keep up with so many different ones.
Software Engineer. Bitsum LLC.