I need a solution
Hello everyone, recently we had a PT assesment in our SEP enviroment and the PT team had reported that they were able to succuesfully kill/bypass the SEP service. They also had a tool which they run and it disables the SEP. Also they used the taskkill command in cmd with local admin privalages and they bypassed it. Even though we already have the below enabled on the SEP side
- Password protection is enabled to stop the service. Verified it if someone tries to do smc- stop, we are prompted to supply the pasword.
- Password protection is enabled to uninstall the agent. Tried to uninstall from control panel, we are prompted to supply the password.
- If we try to go the task try right click on SEP shield, Disable Symantec Endpoint Protection is greyed out.
- Temper protection is enabled and the action for it is to Block and Log.
I also came across the below article and it works like this.
https://www.symantec.com/connect/forums/how-preven...
I am wondering how they SEP service can get killed even though temper protection is already enabled.
0