We are experiencing some problems with SEP small business edition 12.1 (clients are running SEPM version 12.1.671.4971).
We receive a lot of emails regarding "Access denied SONAR" c:\windows\system32\svchost.exe"
I have no idea which program may be the cause for this warning. We have no VPN client software running. Maybe it is the network driver, or other 3th party program...
The problem is you can only enable or disable the SONAR feature in the SMB edition. In the enterprise edition you can change the behavior when such risk as above listed is detected (see image below). We have to find the program that causes this or disable sonar completely to get rid of the warnings.
I've created a case with symantec, to ask if there is a way to list the process id from the svchost.exe. After weeks of troubleshooting, they suggest to upgrade to enterprise edition. There is no way to log more information in the smb edition.
First symantec told that my policies are corrupt, they found some settings which should not be able to set in the SMB edition. This was a clean installation, no upgrade, so I don't understand this. Next step ( I had to this a few times) was to collect logs on both server and affected clients. Nothing was found. I had also to collect some process monitor logs. But a few days later, they told me I had to look in the logs by myself. Symantec doesn't support procmon, but they asked me to send it to them in the first place....