Symantec software Disabling Recovery Mode during installations

Question

Security team have been often receiving alert that during the installation of Symantec Encryption Desktop, Windows is using bcdedit.exec to modify the boot configuration, where its disabling windows default system recovery.
It might be an expected behavior to ensure no one can bypass the encryption at boot time and It could be a Defense Mechanism. As we're receiving lots of alerts on this, we want to get to the root cause and ensure this is an expected behavior. That way we can have it documented and fine tune our detection.

Does any one know if it it would interact with system boot configuration and any mention of bcdedit tasks being used during installation.

Command Line: "cmd.exe" /c schtasks.exe /Create /RU %USERNAME% /SC DAILY /TN runBCDEDIT /RL HIGHEST /TR "bcdedit.exe /set recoveryenabled No " & schtasks.exe /run /TN runBCDEDIT & schtasks.exe /Delete /TN runBCDEDIT /F & schtasks.exe /Delete /TN "runBCDEDIT" /F

kidd_ip · Answer

The command line you provided creates a scheduled task to disable Windows recovery, runs the task, and then deletes it:
&nbsp;
cmd.exe /c schtasks.exe /Create /RU %USERNAME% /SC DAILY /TN runBCDEDIT /RL HIGHEST /TR "bcdedit.exe /set recoveryenabled No " &amp; schtasks.exe /run /TN runBCDEDIT &amp; schtasks.exe /Delete /TN runBCDEDIT /F &amp; schtasks.exe /Delete /TN "runBCDEDIT" /F
&nbsp;

amishinu · Answer

Does this mean that this is run only during the installation phase and its reverting back to the default windows? Are there any additional things I can validate. Thanks in advance&nbsp;Kidd_Ip&nbsp;

Forum Discussion

Symantec software Disabling Recovery Mode during installations

2 Replies