Tamper-Protection Bypass × Broadcom (Symantec) Symantec Endpoint Protection 14.3.5351 and earlier

A publicly-reported instance of Tamper-Protection Bypass bypassing Broadcom (Symantec) Symantec Endpoint Protection 14.3.5351 and earlier, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Broadcom (Symantec) Symantec Endpoint Protection 14.3.5351 and earlier

Technique

Tamper-Protection Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2024-07-21

Config / version noted

Yes

Provenance

github.com
disclosed 2024-07-21 · original source · via exa

Reported as

bypass the client UI password protection by patching a single instruction in memory or the binary... even with Tamper Protection enabled

Mechanism

The password check in SymCorpUI.exe is not protected by PPL or kernel driver. By flipping a JZ to JNZ at a specific offset (0x74 to 0x75), any password is accepted. A Python script automates patching and launching the UI, allowing policy export/import to change settings, disable protection, or extract password hashes.

Detection & mitigation

Monitor for unexpected modifications to Symantec Endpoint Protection binaries (e.g., SymCorpUI.exe) using file integrity monitoring (FIM) or endpoint detection and response (EDR) solutions that track changes to protected files. Ensure SEP is updated to version 14.3 RU6 or later to remediate the vulnerability, and enforce application control policies to prevent unauthorized code execution.

Tamper-Protection Bypass has also been recorded against

AppSealing Arxan BeyondTrust Byfron CrowdStrike DANA Elastic FireEye Kemco LoGiC.NET McAfee Microsoft

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.