Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Tamper Protection blocks Symantec Endpoint Protection injections resulting in repcli.exe failing to run.

Carbon Black Cloud: Tamper Protection blocks Symantec Endpoint Protection injections resulting in repcli.exe failing to run.

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: 3.7.x and Lower
  • Microsoft Windows: All Supported Versions
  • Symantec Endpoint Protection: All Versions

Symptoms

Tamper Protection blocks injection by Symantec Endpoint Protection, resulting in scanhost.exe, repux.exe, and repcli.exe all failing to run

Cause

Symantec Endpoint Protection Sysfer.dll is being injected through IMPORT directory modification. Sysplant.sys is adding the sysfer.dll entry into import directory during the Image load notification of the main module and removes the entry during the image load notification of sysfer.dll. CB Cloud Sensor responds by having tamper protection block the sysfer.dll load.

Resolution

This behavior has been fixed in the 3.8.0.398 CB Cloud Windows Sensor.

Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎02-22-2022
Views:
614
Contributors