IPS Core Service and Symantec AV

[jmeissen]

What is IPS Core Service? Apparently it doesn't coexist with the latest Symantec AV. It causes Symantec 10.1 to have Tamper Protection Alerts continuously. Symantec had created several Gigabytes of logfiles on my hard drive by the time I figured it out.
IBM won't talk to me about it because it's not a hardware problem, and Lenovo wants $120/call to discuss it. For now I simply stopped and disabled the service, but I have no clue what it does.

[ryengineer]

I hope this will help:

ipssvc.exe - Here is the scoop on IPSec Service as it pertains to computer network security. The big question: what is ipssvc.exe and is it spyware, a trojan and if so, how do I get rid of IPSec Service?

The process named ipssvc.exe is used when creating secure connections to private networks across a public network e.g. conecting to the office network - via the internet. Using this type of connection is know as Virtual Private Networking (VPN). If you use LanCom VPN to connect to another network from your computer you should leave this process running.

ipssvc.exe is an application that does NOT appear to be a security risk

The Process Server database currently registers ipssvc.exe to LanCom.

This is part of LanCom VPN.

[jmeissen]

Not the same thing.

IPSec Service is what manages the IP security keys, etc. It has dependencies on the IPSec driver and the TCP/IP protocol driver. The executable is 'lsass.exe'.

IPS Core Service is some Lenovo thing. It has a dependency on something called the IPS Helper driver. The executable is 'ipssvc.exe'.

[jdhurst]

Two things:

1. If you are sure of your abilities and have good common sense, turn tamper protection off. I do for myself, but not for clients.

2. Try configuring tamper protection. I see you can log rather than block process and internal objects, but that might defeat the purpose.

What I cannot see is how to control the size of the event log, but the collection of log files on my machine (for symantec) is about 500Kb and they go back to 2005, so they don't seem to onerous.
... JDH

[jmeissen]

Even if I could, I wouldn't turn it off. XP is too insecure as it is, I'm not going to start disabling AV features. But I can't anyway - is was installed by the IT people where I work, and they control the configuration.
It's already set to Log Only. I don't know of any way to control the logfile size, either. If I turn on IPS Core Service the Symantec logfile will grow to several hundred MBytes in 15 or 20 seconds.

[jdhurst]

Interesting. I don't have ipssvc on my T41, and everything I turn up in Google points to Lancom. ... JDH

[GomJabbar]

I don't know if this will help or not, but I saw this solution posted for stopping ACPI events from being written to the Event log and filling it up. Using this as a starting point, maybe you can find the necessary file(s) and modify them to stop the constant logging.

Alexandre Elias wrote to me with a very interesting new proposal. He successfully patched the ACPIEC.sys driver, taking away its desire to write into the Windows log. Here's what he wrote, verbatim:

----- Beginning of mail from Alexandre Elias, minimally edited -----

Your page is the only helpful resource I found on the web for the ACPIEC problem, so I thought you might be interested in hearing this. I found a better workaround for the ACPIEC warnings bug in Windows XP. I tried disabling ACPIEC.SYS from the registry like you said, but as expected it also disables useful functionality (power management stuff like sleep mode seems unaffected, but the "magic buttons" on my laptop keyboard, like brightness and volume controls, stop working). So I wasn't really happy with the solution.

After tinkering around, I found a method to turn off the warnings without disabling any functionality --- but it involves an even uglier hack . You can do it by modifying ACPIEC.SYS with a hex editor.

1. Go into \windows\system32\drivers and make a copy of ACPIEC.SYS to a new file called acpiecNoLog.sys.

2. Open acpiecNoLog.sys with a hex editor.

3. Most of the file will be unreadable garbage, but near the end you should be able to see a long series of null-terminated strings (the first is "MmUnlockPagableImageSection"). These are the names of the external functions dynamically linked by the driver.

4. Look for the function name "IoWriteErrorLogEntry". This is the function that writes the warnings into the system log. Now disable it by replacing the string, byte-for-byte, with "IOFreeErrorLogEntry". Note that this is one character shorter than the original, so make sure to replace the final 'y' with a null byte. Be careful to use an honest-to-god null (0x00) and not an ASCII space (0x20). And especially do NOT just delete the character, as that would pull up everything after it by one byte and screw up addressing. Visually:

I o W r i t e E r r o r L o g E n t r y

becomes byte-for-byte:

I o F r e e E r r o r L o g E n t r y <null>

5. Verify that you hacked the file properly by checking the file sizes. If you didn't screw up, the old ACPIEC.SYS and your new acpiecNoLog.sys should be precisely the same size.

6. Change the ACPIEC service registry key to point to your new hacked driver: i.e. in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ACPIEC, make sure ImagePath = "System32\DRIVERS\acpiecNoLog.sys". You can't just overwrite the old driver, because Windows has some kind of safeguard that prevents you from modifying system files.

7. Reboot, and enjoy.

It isn't for the faint of heart, but hey, it works. We can safely swap the two functions like this because both of them take the same parameters and have return type void. The Free function correctly frees the resource, so it shouldn't cause any leaks either. The only downside I can see is that if you ever get a geniune ACPIEC error, it won't make it into the logs—but what are the chances? Also, weird driver modifications might wreak havoc with Windows Update, so you might want to undo this hack before installing any service packs.

----- End of mail -----

Thanks a lot, Alex!

I immediately tried this and found that it indeed prevents the system log entries and also alleviates the video playing problem somewhat on my computer, but doesn't solve it for me altogether, even though I recently upgraded that laptop from 600 MHz to 1 GHz, but your mileage may vary. If your computer is much faster, the hack may shove you over the hill entirely and allow you to watch videos while at the same time having full ACPI functionality. But like the change even so, because it seems to reduce the ACPIEC burst loads and frees me from the many useless log entries.

I made a minor amendment to the procedure proposed by Alex. I left the old registry entry there and renamed it to "ImagePath ORIGINAL", then created a new ImagePath entry. If you want to do that also, make sure the type of the new value is also REG_EXPAND_SZ, expandable string.

Good luck, and if anyone can hack the driver even more deeply, please let me know.

http://winhlp.com/WxACPIEC.htm

I used the above hack myself when I was running TPFANCONTROL. I downloaded and used PSPad Hex Editor (free) to modify the above mentioned file. http://www.pspad.com/en/

[libit]

I had the same problem: Symantec Enterprise Protection v 11 reporting lots of tamper protection exception from IPSSVC.exe.

I found 2 ways to "solve" this.

first I disabled tamper protection (from SEP main window-> change settings -> client management change settings -> tamper prot..). This was just to avoid all the warnings I was getting while I was looking into this.

IPSSVC.exe is a service installed together with "Away Manager". I doubt it has anything to do with IPSec. Maybe there is a different IPSSVC.exe from a different vendor that is ipsec/vpn related but the lenovo's one doesn't seem to be VPN related. Maybe it monitors network traffic to figure out if you are "away", but this is just guessing.

Anyway I already was quite uncertain about the usefulness of away manager (I already had disable all the default away tasks because I don't want to have away manager run stuff while I leave my laptop doing some computation while I'm away...) and this issue just gave me the final reason the get rid of it. I just uninstalled it from control-panel -> add/remove programs and that removed the ipssvc service and solved the symantec AV tamper protection alerts.