I am running SEPM 12.1.4023.4080.  I have about 100 clilents coming to one server for updates.  Everything is going well, except that I noticed the other day that under the policies tab there were only a few non-shared applicaiton and device control policies.  However if I go to the clients tab, almost each client group has its own application and device control policy that is non-shared.  Anyway, I went to clients and exported the missing policies and then went to policies section and imported them in and assigned them to their respective groups.  Since I have done this, I am being slammed with notifications from SEPM on

Found 10 or more security events in 1 minutes on computer XYZ. Actual number of security events found was 28.
Security events included:
Compliance and Application Control.

If I scroll through the typical email it refers to a caller target process (Assuming this means the application in question) and that it was allowed.  This morning alone I had 300 emails waiting for me.  During the day, I probably had another 200 come through from SEPM.  Each of them reporting an application from one client PC or another that was allowed.  Some of the notifications I receive are not listing any applications at all.  I do not believe that I would want to know about every application that was allowed to run on my computers.  I would however be interested in any that were blocked (if I had that setup).

I am not sure if I need to be creating exception rules, or turn off email notifications for this particular notification setting.  I cannot seem to find any coorelation between the name of the report I see in my email and the notification name setup in SEPM.  So I am not sure if the notification I am tweaking is the right one or not.

I use A&D control specifically to block unauthorized USB devices across all of my compputers.  I do not use application control at all right now, but I would like to learn how and actually use it.

In the mean time, how to reduce or eliminate the email notifications on allowed applications?

Thanks,

Scott

It could be from tamper protection, but you need to check that alert. You can adjust accordingly to limit the number of emails. Everything can be configured from the alert though.

The only option that Isee is "Add Process to Exception Policy".  Is that what I need to do, so that it stops badgering me each time it allows a program to run???  What exaclty will this exception do?  NO that I am lookign at this log, how is it that all of the prlogs that were "blocked" did not kick out an email alert, but the allowed ones sent out a email alert?  Woudln't I want to know what Syamntec is blocking instead of allowing?  Please explaing the logic so I can understand it better.

Would need to see a screenshot. I'm talking about editing the alert, not a policy.

I doubt if its from SEPM, a screen shot would be more helpful

Found 10 or more security events in 1 minutes on computer ACSSERVER. Actual number of security events found was 15.
Security events included:
Compliance and Application Control.

Symantec Endpoint Protection

Notification Events

11/06/2014 11:16:00 to 11/06/2014 11:17:00     Print

 

 

 

Table of Contents       Network Threat Protection and Compliance Events   Application Control Events

 

  Top

 

Network Threat Protection and Compliance Events

 

Nothing to Report

 

  Top

 

Application Control Events

 

Event Time Event Type Severity Number Domain Server Group Computer IP Address Operating System Client User Name Rule Name Action Caller process Target Event Description 11/06/2014 11:17:55 Tamper Protection Major 8 Default sepm My Company\ACS-IR Servers ACSSERVER x.x.x.x Windows Server 2008 Standard Edition SYSTEM   Allow C:\WINDOWS\SYSTEM32\WERFAULT.EXE C:\Windows\System32\sysfer.dll "C:\Windows\System32\sysfer.dll" 11/06/2014 11:16:55 Tamper Protection Major 15 Default sepm My Company\ACS-IR Servers ACSSERVER x.x.x.x Windows Server 2008 Standard Edition SYSTEM   Allow C:\PROGRAM FILES\NCR\OPENSSH\BIN\SSHD.EXE C:\Windows\System32\sysfer.dll "C:\Windows\System32\sysfer.dll"

For more information on network threat protection events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and Attacks log content.
For more information on traffic events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and the Traffic log content.
For more information on compliance events, see the Monitors page, Logs tab, and select the Compliance log type and the Host Compliance log content.
For more information on device control events, see the Monitors page, Logs tab, and select the Application and Device Control log type and the Device Control log content.
For more information on packet events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and the Packet log content.
For more information on application control events, see the Monitors page, Logs tab, and select the Application and Device Control log type and the Application Control log content.
 

You can launch the Symantec Endpoint Protection Manager using: http://sepm:9090/symantec.html

Found 10 or more security events in 1 minutes on computer ACSSERVER. Actual number of security events found was 40.
Security events included:
Compliance and Application Control.

Symantec Endpoint Protection

Notification Events

11/06/2014 11:17:00 to 11/06/2014 11:18:00     Print

 

 

 

Table of Contents       Network Threat Protection and Compliance Events   Application Control Events

 

  Top

 

Network Threat Protection and Compliance Events

 

Nothing to Report

 

  Top

 

Application Control Events

 

Event Time Event Type Severity Number Domain Server Group Computer IP Address Operating System Client User Name Rule Name Action Caller process Target Event Description 11/06/2014 11:17:55 Tamper Protection Major 8 Default sepm My Company\ACS-IR Servers ACSSERVER x.x.x.x Windows Server 2008 Standard Edition SYSTEM   Allow C:\WINDOWS\SYSTEM32\WERFAULT.EXE C:\Windows\System32\sysfer.dll "C:\Windows\System32\sysfer.dll"

For more information on network threat protection events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and Attacks log content.
For more information on traffic events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and the Traffic log content.
For more information on compliance events, see the Monitors page, Logs tab, and select the Compliance log type and the Host Compliance log content.
For more information on device control events, see the Monitors page, Logs tab, and select the Application and Device Control log type and the Device Control log content.
For more information on packet events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and the Packet log content.
For more information on application control events, see the Monitors page, Logs tab, and select the Application and Device Control log type and the Application Control log content.
 

You can launch the Symantec Endpoint Protection Manager using: http://sepm:9090/symantec.html

Found 10 or more security events in 1 minutes on computer ACSSERVER. Actual number of security events found was 29.
Security events included:
Compliance and Application Control.

Symantec Endpoint Protection

Notification Events

11/06/2014 11:21:00 to 11/06/2014 11:22:00     Print

 

 

 

Table of Contents       Network Threat Protection and Compliance Events   Application Control Events

 

  Top

 

Network Threat Protection and Compliance Events

 

Nothing to Report

 

  Top

 

Application Control Events

 

Event Time Event Type Severity Number Domain Server Group Computer IP Address Operating System Client User Name Rule Name Action Caller process Target Event Description 11/06/2014 11:21:55 Tamper Protection Major 8 Default sepm My Company\ACS-IR Servers ACSSERVER x.x.x.x Windows Server 2008 Standard Edition SYSTEM   Allow C:\WINDOWS\SYSTEM32\WERFAULT.EXE C:\Windows\System32\sysfer.dll "C:\Windows\System32\sysfer.dll" 11/06/2014 11:21:55 Tamper Protection Major 21 Default sepm My Company\ACS-IR Servers ACSSERVER x.x.x.x Windows Server 2008 Standard Edition SYSTEM   Allow C:\PROGRAM FILES\NCR\OPENSSH\BIN\SSHD.EXE C:\Windows\System32\sysfer.dll "C:\Windows\System32\sysfer.dll" 11/06/2014 11:21:16 Tamper Protection Major 1 Default sepm My Company\ACS-IR Servers ACSSERVER x.x.x.x Windows Server 2008 Standard Edition LOCAL SERVICE   Allow C:\WINDOWS\SYSTEM32\RACAGENT.EXE C:\Windows\System32\sysfer.dll "C:\Windows\System32\sysfer.dll" 11/06/2014 11:21:15 Tamper Protection Major 1 Default sepm My Company\ACS-IR Servers ACSSERVER x.x.x.x Windows Server 2008 Standard Edition LOCAL SERVICE   Allow C:\WINDOWS\SYSTEM32\TASKENG.EXE C:\Windows\System32\sysfer.dll "C:\Windows\System32\sysfer.dll"

For more information on network threat protection events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and Attacks log content.
For more information on traffic events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and the Traffic log content.
For more information on compliance events, see the Monitors page, Logs tab, and select the Compliance log type and the Host Compliance log content.
For more information on device control events, see the Monitors page, Logs tab, and select the Application and Device Control log type and the Device Control log content.
For more information on packet events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and the Packet log content.
For more information on application control events, see the Monitors page, Logs tab, and select the Application and Device Control log type and the Application Control log content.
 

You can launch the Symantec Endpoint Protection Manager using: http://sepm:9090/symantec.html

Found 10 or more security events in 1 minutes on computer ACSSERVER. Actual number of security events found was 29.
Security events included:
Compliance and Application Control.

Symantec Endpoint Protection

Notification Events

11/06/2014 11:26:00 to 11/06/2014 11:27:00     Print

 

 

 

Table of Contents       Network Threat Protection and Compliance Events   Application Control Events

 

  Top

 

Network Threat Protection and Compliance Events

 

Nothing to Report

 

  Top

 

Application Control Events

 

Event Time Event Type Severity Number Domain Server Group Computer IP Address Operating System Client User Name Rule Name Action Caller process Target Event Description 11/06/2014 11:26:55 Tamper Protection Major 29 Default sepm My Company\ACS-IR Servers ACSSERVER x.x.x.x Windows Server 2008 Standard Edition SYSTEM   Allow C:\PROGRAM FILES\NCR\OPENSSH\BIN\SSHD.EXE C:\Windows\System32\sysfer.dll "C:\Windows\System32\sysfer.dll"

For more information on network threat protection events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and Attacks log content.
For more information on traffic events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and the Traffic log content.
For more information on compliance events, see the Monitors page, Logs tab, and select the Compliance log type and the Host Compliance log content.
For more information on device control events, see the Monitors page, Logs tab, and select the Application and Device Control log type and the Device Control log content.
For more information on packet events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and the Packet log content.
For more information on application control events, see the Monitors page, Logs tab, and select the Application and Device Control log type and the Application Control log content.
 

You can launch the Symantec Endpoint Protection Manager using: http://sepm:9090/symantec.html

Found 10 or more security events in 1 minutes on computer ACSSERVER. Actual number of security events found was 16.
Security events included:
Compliance and Application Control.

Symantec Endpoint Protection

Notification Events

11/06/2014 11:27:00 to 11/06/2014 11:28:00     Print

 

 

 

Table of Contents       Network Threat Protection and Compliance Events   Application Control Events

 

  Top

 

Network Threat Protection and Compliance Events

 

Nothing to Report

 

  Top

 

Application Control Events

 

Event Time Event Type Severity Number Domain Server Group Computer IP Address Operating System Client User Name Rule Name Action Caller process Target Event Description 11/06/2014 11:28:25 Tamper Protection Major 16 Default sepm My Company\ACS-IR Servers ACSSERVER x.x.x.x Windows Server 2008 Standard Edition SYSTEM   Allow C:\WINDOWS\SYSTEM32\WERFAULT.EXE C:\Windows\System32\sysfer.dll "C:\Windows\System32\sysfer.dll"

For more information on network threat protection events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and Attacks log content.
For more information on traffic events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and the Traffic log content.
For more information on compliance events, see the Monitors page, Logs tab, and select the Compliance log type and the Host Compliance log content.
For more information on device control events, see the Monitors page, Logs tab, and select the Application and Device Control log type and the Device Control log content.
For more information on packet events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and the Packet log content.
For more information on application control events, see the Monitors page, Logs tab, and select the Application and Device Control log type and the Application Control log content.
 

You can launch the Symantec Endpoint Protection Manager using: http://sepm:9090/symantec.html

Found 10 or more security events in 1 minutes on computer ACSSERVER. Actual number of security events found was 24.
Security events included:
Compliance and Application Control.

Symantec Endpoint Protection

Notification Events

11/06/2014 11:31:00 to 11/06/2014 11:32:00     Print

 

 

 

Table of Contents       Network Threat Protection and Compliance Events   Application Control Events

 

  Top

 

Network Threat Protection and Compliance Events

 

Nothing to Report

 

  Top

 

Application Control Events

 

Event Time Event Type Severity Number Domain Server Group Computer IP Address Operating System Client User Name Rule Name Action Caller process Target Event Description 11/06/2014 11:32:55 Tamper Protection Major 10 Default sepm My Company\ACS-IR Servers ACSSERVER x.x.x.x Windows Server 2008 Standard Edition SYSTEM   Allow C:\WINDOWS\SYSTEM32\WERFAULT.EXE C:\Windows\System32\sysfer.dll "C:\Windows\System32\sysfer.dll" 11/06/2014 11:31:55 Tamper Protection Major 24 Default sepm My Company\ACS-IR Servers ACSSERVER x.x.x.x Windows Server 2008 Standard Edition SYSTEM   Allow C:\PROGRAM FILES\NCR\OPENSSH\BIN\SSHD.EXE C:\Windows\System32\sysfer.dll "C:\Windows\System32\sysfer.dll"

For more information on network threat protection events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and Attacks log content.
For more information on traffic events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and the Traffic log content.
For more information on compliance events, see the Monitors page, Logs tab, and select the Compliance log type and the Host Compliance log content.
For more information on device control events, see the Monitors page, Logs tab, and select the Application and Device Control log type and the Device Control log content.
For more information on packet events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and the Packet log content.
For more information on application control events, see the Monitors page, Logs tab, and select the Application and Device Control log type and the Application Control log content.
 

You can launch the Symantec Endpoint Protection Manager using: http://sepm:9090/symantec.html

Found 10 or more security events in 1 minutes on computer ACSSERVER. Actual number of security events found was 10.
Security events included:
Compliance and Application Control.

Symantec Endpoint Protection

Notification Events

11/06/2014 11:32:00 to 11/06/2014 11:33:00     Print

 

 

 

Table of Contents       Network Threat Protection and Compliance Events   Application Control Events

 

  Top

 

Network Threat Protection and Compliance Events

 

Nothing to Report

 

  Top

 

Application Control Events

 

Event Time Event Type Severity Number Domain Server Group Computer IP Address Operating System Client User Name Rule Name Action Caller process Target Event Description 11/06/2014 11:32:55 Tamper Protection Major 10 Default sepm My Company\ACS-IR Servers ACSSERVER x.x.x.x Windows Server 2008 Standard Edition SYSTEM   Allow C:\WINDOWS\SYSTEM32\WERFAULT.EXE C:\Windows\System32\sysfer.dll "C:\Windows\System32\sysfer.dll"

For more information on network threat protection events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and Attacks log content.
For more information on traffic events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and the Traffic log content.
For more information on compliance events, see the Monitors page, Logs tab, and select the Compliance log type and the Host Compliance log content.
For more information on device control events, see the Monitors page, Logs tab, and select the Application and Device Control log type and the Device Control log content.
For more information on packet events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and the Packet log content.
For more information on application control events, see the Monitors page, Logs tab, and select the Application and Device Control log type and the Application Control log content.
 

You can launch the Symantec Endpoint Protection Manager using: http://sepm:9090/symantec.html

Found 10 or more security events in 1 minutes on computer ACSSERVER. Actual number of security events found was 21.
Security events included:
Compliance and Application Control.

Symantec Endpoint Protection

Notification Events

11/06/2014 11:36:00 to 11/06/2014 11:37:00     Print

 

 

 

Table of Contents       Network Threat Protection and Compliance Events   Application Control Events

 

  Top

 

Network Threat Protection and Compliance Events

 

Nothing to Report

 

  Top

 

Application Control Events

 

Event Time Event Type Severity Number Domain Server Group Computer IP Address Operating System Client User Name Rule Name Action Caller process Target Event Description 11/06/2014 11:36:56 Tamper Protection Major 19 Default sepm My Company\ACS-IR Servers ACSSERVER x.x.x.x Windows Server 2008 Standard Edition SYSTEM   Allow C:\PROGRAM FILES\NCR\OPENSSH\BIN\SSHD.EXE C:\Windows\System32\sysfer.dll "C:\Windows\System32\sysfer.dll" 11/06/2014 11:36:55 Tamper Protection Major 2 Default sepm My Company\ACS-IR Servers ACSSERVER x.x.x.x Windows Server 2008 Standard Edition SYSTEM   Allow C:\WINDOWS\SYSTEM32\WERFAULT.EXE C:\Windows\System32\sysfer.dll "C:\Windows\System32\sysfer.dll" 11/06/2014 11:36:13 Tamper Protection Major 1 Default sepm My Company\ACS-IR Servers ACSSERVER x.x.x.x Windows Server 2008 Standard Edition SYSTEM   Allow C:\WINDOWS\SYSTEM32\DLLHOST.EXE C:\Windows\System32\sysfer.dll "C:\Windows\System32\sysfer.dll"

For more information on network threat protection events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and Attacks log content.
For more information on traffic events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and the Traffic log content.
For more information on compliance events, see the Monitors page, Logs tab, and select the Compliance log type and the Host Compliance log content.
For more information on device control events, see the Monitors page, Logs tab, and select the Application and Device Control log type and the Device Control log content.
For more information on packet events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and the Packet log content.
For more information on application control events, see the Monitors page, Logs tab, and select the Application and Device Control log type and the Application Control log content.
 

You can launch the Symantec Endpoint Protection Manager using: http://sepm:9090/symantec.html

Found 10 or more security events in 1 minutes on computer ACSSERVER. Actual number of security events found was 27.
Security events included:
Compliance and Application Control.

Symantec Endpoint Protection

Notification Events

11/06/2014 11:41:00 to 11/06/2014 11:42:00     Print

 

 

 

Table of Contents       Network Threat Protection and Compliance Events   Application Control Events

 

  Top

 

Network Threat Protection and Compliance Events

 

Nothing to Report

 

  Top

 

Application Control Events

 

Event Time Event Type Severity Number Domain Server Group Computer IP Address Operating System Client User Name Rule Name Action Caller process Target Event Description 11/06/2014 11:41:56 Tamper Protection Major 17 Default sepm My Company\ACS-IR Servers x.x.x.x Windows Server 2008 Standard Edition SYSTEM   Allow C:\PROGRAM FILES\NCR\OPENSSH\BIN\SSHD.EXE C:\Windows\System32\sysfer.dll "C:\Windows\System32\sysfer.dll" 11/06/2014 11:41:56 Tamper Protection Major 9 Default sepm My Company\ACS-IR Servers ACSSERVER x.x.x.x Windows Server 2008 Standard Edition SYSTEM   Allow C:\WINDOWS\SYSTEM32\WERFAULT.EXE C:\Windows\System32\sysfer.dll "C:\Windows\System32\sysfer.dll" 11/06/2014 11:41:30 Tamper Protection Major 1 Default sepm My Company\ACS-IR Servers ACSSERVER x.x.x.x Windows Server 2008 Standard Edition SYSTEM   Allow C:\WINDOWS\SYSTEM32\DLLHOST.EXE C:\Windows\System32\sysfer.dll "C:\Windows\System32\sysfer.dll"

For more information on network threat protection events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and Attacks log content.
For more information on traffic events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and the Traffic log content.
For more information on compliance events, see the Monitors page, Logs tab, and select the Compliance log type and the Host Compliance log content.
For more information on device control events, see the Monitors page, Logs tab, and select the Application and Device Control log type and the Device Control log content.
For more information on packet events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and the Packet log content.
For more information on application control events, see the Monitors page, Logs tab, and select the Application and Device Control log type and the Application Control log content.
 

You can launch the Symantec Endpoint Protection Manager using: http://sepm:9090/symantec.html

Found 10 or more security events in 1 minutes on computer ACSSERVER. Actual number of security events found was 26.
Security events included:
Compliance and Application Control.

Symantec Endpoint Protection

Notification Events

11/06/2014 11:46:00 to 11/06/2014 11:47:00     Print

 

 

 

Table of Contents       Network Threat Protection and Compliance Events   Application Control Events

 

  Top

 

Network Threat Protection and Compliance Events

 

Nothing to Report

 

  Top

 

Application Control Events

 

Event Time Event Type Severity Number Domain Server Group Computer IP Address Operating System Client User Name Rule Name Action Caller process Target Event Description 11/06/2014 11:47:26 Tamper Protection Major 19 Default sepm My Company\ACS-IR Servers ACSSERVER x.x.x.x Windows Server 2008 Standard Edition SYSTEM   Allow C:\PROGRAM FILES\NCR\OPENSSH\BIN\SSHD.EXE C:\Windows\System32\sysfer.dll "C:\Windows\System32\sysfer.dll" 11/06/2014 11:47:26 Tamper Protection Major 6 Default sepm My Company\ACS-IR Servers ACSSERVER x.x.x.x Windows Server 2008 Standard Edition SYSTEM   Allow C:\WINDOWS\SYSTEM32\WERFAULT.EXE C:\Windows\System32\sysfer.dll "C:\Windows\System32\sysfer.dll" 11/06/2014 11:46:56 Tamper Protection Major 1 Default sepm My Company\ACS-IR Servers ACSSERVER x.x.x.x Windows Server 2008 Standard Edition SYSTEM   Allow C:\WINDOWS\SYSTEM32\DLLHOST.EXE C:\Windows\System32\sysfer.dll "C:\Windows\System32\sysfer.dll"

For more information on network threat protection events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and Attacks log content.
For more information on traffic events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and the Traffic log content.
For more information on compliance events, see the Monitors page, Logs tab, and select the Compliance log type and the Host Compliance log content.
For more information on device control events, see the Monitors page, Logs tab, and select the Application and Device Control log type and the Device Control log content.
For more information on packet events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and the Packet log content.
For more information on application control events, see the Monitors page, Logs tab, and select the Application and Device Control log type and the Application Control log content.
 

You can launch the Symantec Endpoint Protection Manager using: http://sepm:9090/symantec.html

Found 10 or more security events in 1 minutes on computer ACSSERVER. Actual number of security events found was 28.
Security events included:
Compliance and Application Control.

Symantec Endpoint Protection

Notification Events

11/06/2014 11:51:00 to 11/06/2014 11:52:00     Print

 

 

 

Table of Contents       Network Threat Protection and Compliance Events   Application Control Events

 

  Top

 

Network Threat Protection and Compliance Events

 

Nothing to Report

 

  Top

 

Application Control Events

 

Event Time Event Type Severity Number Domain Server Group Computer IP Address Operating System Client User Name Rule Name Action Caller process Target Event Description 11/06/2014 11:52:23 Tamper Protection Major 1 Default sepm My Company\ACS-IR Servers ACSSERVER x.x.x.x Windows Server 2008 Standard Edition SYSTEM   Allow C:\WINDOWS\SYSTEM32\DLLHOST.EXE C:\Windows\System32\sysfer.dll "C:\Windows\System32\sysfer.dll" 11/06/2014 11:51:56 Tamper Protection Major 7 Default sepm My Company\ACS-IR Servers ACSSERVER x.x.x.x Windows Server 2008 Standard Edition SYSTEM   Allow C:\WINDOWS\SYSTEM32\WERFAULT.EXE C:\Windows\System32\sysfer.dll "C:\Windows\System32\sysfer.dll" 11/06/2014 11:51:56 Tamper Protection Major 20 Default sepm My Company\ACS-IR Servers ACSSERVER x.x.x.x Windows Server 2008 Standard Edition SYSTEM   Allow C:\PROGRAM FILES\NCR\OPENSSH\BIN\SSHD.EXE C:\Windows\System32\sysfer.dll "C:\Windows\System32\sysfer.dll"

For more information on network threat protection events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and Attacks log content.
For more information on traffic events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and the Traffic log content.
For more information on compliance events, see the Monitors page, Logs tab, and select the Compliance log type and the Host Compliance log content.
For more information on device control events, see the Monitors page, Logs tab, and select the Application and Device Control log type and the Device Control log content.
For more information on packet events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and the Packet log content.
For more information on application control events, see the Monitors page, Logs tab, and select the Application and Device Control log type and the Application Control log content.
 

You can launch the Symantec Endpoint Protection Manager using: http://sepm:9090/symantec.html

Found 10 or more security events in 1 minutes on computer ACSSERVER. Actual number of security events found was 18.
Security events included:
Compliance and Application Control.

Symantec Endpoint Protection

Notification Events

11/06/2014 11:56:00 to 11/06/2014 11:57:00     Print

 

 

 

Table of Contents       Network Threat Protection and Compliance Events   Application Control Events

 

  Top

 

Network Threat Protection and Compliance Events

 

Nothing to Report

 

  Top

 

Application Control Events

 

Event Time Event Type Severity Number Domain Server Group Computer IP Address Operating System Client User Name Rule Name Action Caller process Target Event Description 11/06/2014 11:57:52 Tamper Protection Major 1 Default sepm My Company\ACS-IR Servers ACSSERVER x.x.x.x Windows Server 2008 Standard Edition SYSTEM   Allow C:\WINDOWS\SYSTEM32\DLLHOST.EXE C:\Windows\System32\sysfer.dll "C:\Windows\System32\sysfer.dll" 11/06/2014 11:56:56 Tamper Protection Major 18 Default sepm My Company\ACS-IR Servers ACSSERVER x.x.x.x Windows Server 2008 Standard Edition SYSTEM   Allow C:\PROGRAM FILES\NCR\OPENSSH\BIN\SSHD.EXE C:\Windows\System32\sysfer.dll "C:\Windows\System32\sysfer.dll"

For more information on network threat protection events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and Attacks log content.
For more information on traffic events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and the Traffic log content.
For more information on compliance events, see the Monitors page, Logs tab, and select the Compliance log type and the Host Compliance log content.
For more information on device control events, see the Monitors page, Logs tab, and select the Application and Device Control log type and the Device Control log content.
For more information on packet events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and the Packet log content.
For more information on application control events, see the Monitors page, Logs tab, and select the Application and Device Control log type and the Application Control log content.
 

You can launch the Symantec Endpoint Protection Manager using: http://sepm:9090/symantec.html

Found 10 or more security events in 1 minutes on computer ACSSERVER. Actual number of security events found was 22.
Security events included:
Compliance and Application Control.

Symantec Endpoint Protection

Notification Events

11/06/2014 12:01:00 to 11/06/2014 12:02:00     Print

 

 

 

Table of Contents       Network Threat Protection and Compliance Events   Application Control Events

 

  Top

 

Network Threat Protection and Compliance Events

 

Nothing to Report

 

  Top

 

Application Control Events

 

Event Time Event Type Severity Number Domain Server Group Computer IP Address Operating System Client User Name Rule Name Action Caller process Target Event Description 11/06/2014 12:02:26 Tamper Protection Major 22 Default sepm My Company\ACS-IR Servers ACSSERVER x.x.x.x Windows Server 2008 Standard Edition SYSTEM   Allow C:\PROGRAM FILES\NCR\OPENSSH\BIN\SSHD.EXE C:\Windows\System32\sysfer.dll "C:\Windows\System32\sysfer.dll" 11/06/2014 12:01:47 Tamper Protection Major 1 Default sepm My Company\ACS-IR Servers ACSSERVER x.x.x.x Windows Server 2008 Standard Edition ACSBACK   Allow C:\WINDOWS\SYSTEM32\IPCONFIG.EXE C:\Windows\System32\sysfer.dll "C:\Windows\System32\sysfer.dll"

For more information on network threat protection events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and Attacks log content.
For more information on traffic events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and the Traffic log content.
For more information on compliance events, see the Monitors page, Logs tab, and select the Compliance log type and the Host Compliance log content.
For more information on device control events, see the Monitors page, Logs tab, and select the Application and Device Control log type and the Device Control log content.
For more information on packet events, see the Monitors page, Logs tab, and select the Network Threat Protection log type and the Packet log content.
For more information on application control events, see the Monitors page, Logs tab, and select the Application and Device Control log type and the Application Control log content.
 

You can launch the Symantec Endpoint Protection Manager using: http://sepm:9090/symantec.html

 

These are all from tamper protection, which causes heavy alerts. You need to adjust this alert appropriately.

How do I go about adjusting this alert?

Tamper protection alert is generated when some processes tries to shut symantec processes. the alerts what you are getting is from a process which is under NCR directory. If you try the process( might be a valid good process) then create an exclusion for that from Tamper protection.Simillarly for the other one which is under c:\windows folder

 

How to Create Exceptions or Exclusions for Tamper Protection Alerts that have already been logged

http://www.symantec.com/business/support/index?page=content&id=TECH92553

Go to Monitors >> Notifications >> Notification Conditions

Should be one called Client security alert

You need to edit the settings here.