Penetration test discovers SEP client can be turned off by tampering registry in SafeMode

I do not need a solution (just sharing information)

Hi All,

Would be really hepful if someone could help out in this issue, Thanks in advance!

We have externals who performed penetration test in our estate and foud out that SEP can be disabled by modifying symantec registries in safe mode by following below steps, though I have Tamper & password protection enabled (for stopping /uninstallation).

1. Boot the Windows in Safe mode.

2. Press Win+R to open run command dialog box.

3. Type regedit and hit enter.

4. Goto ComputerHKEY_Local_MachineSYSTEMControlSet001ServicesSepMasterService

5. Change the value of “Start key” from 2 to 3

6. Restart the windows.

I tired the same steps in my machine and was able to turn off symantec.

Hence, I believe tamper protection does not work in windows safe mode (not sure if this is flaw in the product or a expected behaviour). So, pls suggest if there is anyting that i can do from Symantec policies that will make Tamper protection ON Even In SAFE MODE? or any other way that can fix it, Thanks.



  • No Related Posts

Leave a Reply