How can I tell what process is causing a tamper protection alert?

How can I tell what process is causing a tamper protection alert?

Version

7.x

Issue

Email alerts are received with a title of Computer Security Alert - Suspicious behavior detected

The body of the alert may contain a message such as:

Agent tampering prevented (DOMAIN\PCNAME). Modification of 'c:\programdata\bit9\parity agent\cache.chk-journal' by 'NT AUTHORITY\SYSTEM' was blocked because of tamper protection.

Cause

A process, such as an AV program, is attempting to scan one or more of the CB Protection (Bit9) files or folders.   The agent is preventing this, and generating a tamper protection alert.

Solution

To determine what process is the root cause of these alerts, you can check the events in the console. 

  • Open the console, navigate to Reports > Events. 
  • Set a filter for Subtype = Tamper Protection.
  • Add columns for Process and Process Name.

From this view, you can see the process generating the alerts, and take action as needed.

Important Note(s)

If the alerts are found to be due to AV software, make sure that you have the necessary exclusions in place as outlined in Anti-virus exclusions for CB Protection (formerly Bit9) agent ​.

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-09-2016
Views:
1535
Contributors