Hi,
The policy I'm using is a simple File and Folder Access Attempts policy with Allow and Logging selected for both Read and Modify/Delete/Create options. The selected area I am montioring is ' %windir%\system32\* '.
A number of SEP processes are coming up quite regularly so I have put them into the Process Exceptions field in the policy, makeing sure the policy is actually on the machine I'm testing - but I still get the processes being logged.
For example When looking in the Logs (Monitor>Logs>Application & Device control>Application Control) area I can see that a Caller Process named C:/Program Files/Symantec/Symantec Endpoint Protection/Smc.exe is reading a DLL file in my System32.
I export the Log file then cut and paste that exact line into the 'Do not apply this rule to the following processes:' field. However it still comes up even though I have confirmed that the client has got the new updated policy.
I've got ' * ' (wildcard) in the field above i.e. 'Apply this rule to the following processes:' and I have ticked the 'Sub-processes inherit conditions' box.
It's really annoying - HELP!