# EMET and AV

• ### Question

• I'm using EMET 4.1 on Windows 7 SP1 x64, and we have noticed that Symantec Endpoint Protection gives off Tampering notifications on several of it's own EXE files (ccSvcHst.exe, Smc.exe, etc.) caused by EMET_GUI.exe, for instance from the event log:

﻿

﻿Scan Type: Tamper Protection Scan
Event: Tamper Protection Detection
Security Risk Detected: C:\Program Files (x86)\EMET 4.1\EMET_GUI.exe
File: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\ccSvcHost.exe
Location: C:\Program Files (x86)\Symantec\﻿﻿Symantec Endpoint Protection\12.1.3001.165.105\Bin
Computer: <computername>
Date Found: <date>

I can't seem to find in documentation anywhere either on Microsoft or Symantec's sites the answer to this question: should EMET_GUI be excluded from AV (and in this specific case, Tamper Protection from SEP)? It seems like this would be the logical answer to eliminate the tampering notifications (and/or modifying mitigations in EMET towards those specific EXE's), but I was wondering if anyone else ran into this Tampering (or even issues with AV in general) pointed at EMET and how it was handled?

﻿﻿﻿

Friday, November 22, 2013 4:34 PM