locked
EMET and AV RRS feed

  • Question

  • I'm using EMET 4.1 on Windows 7 SP1 x64, and we have noticed that Symantec Endpoint Protection gives off Tampering notifications on several of it's own EXE files (ccSvcHst.exe, Smc.exe, etc.) caused by EMET_GUI.exe, for instance from the event log:

    

    Scan Type: Tamper Protection Scan
    Event: Tamper Protection Detection
    Security Risk Detected: C:\Program Files (x86)\EMET 4.1\EMET_GUI.exe
    File: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\ccSvcHost.exe
    Location: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin
    Computer: <computername>
    User: <username>
    Action taken: Access Denied
    Date Found: <date>

    I can't seem to find in documentation anywhere either on Microsoft or Symantec's sites the answer to this question: should EMET_GUI be excluded from AV (and in this specific case, Tamper Protection from SEP)? It seems like this would be the logical answer to eliminate the tampering notifications (and/or modifying mitigations in EMET towards those specific EXE's), but I was wondering if anyone else ran into this Tampering (or even issues with AV in general) pointed at EMET and how it was handled?

    

    Friday, November 22, 2013 4:34 PM