Environment
- Carbon Black Cloud Console: All Versions
- Carbon Black Cloud Sensor: 3.7.x and Lower
- Microsoft Windows: All Supported Versions
- Symantec Endpoint Protection: All Versions
Symptoms
Tamper Protection blocks injection by Symantec Endpoint Protection, resulting in scanhost.exe, repux.exe, and repcli.exe all failing to run
Cause
Symantec Endpoint Protection Sysfer.dll is being injected through IMPORT directory modification. Sysplant.sys is adding the sysfer.dll entry into import directory during the Image load notification of the main module and removes the entry during the image load notification of sysfer.dll. CB Cloud Sensor responds by having tamper protection block the sysfer.dll load.
Resolution
This behavior has been fixed in the 3.8.0.398 CB Cloud Windows Sensor.