Hi Brian,
Apologies for not getting back. We did get to the bottom of this in the end with the help of Symantec Technical Support and the replies here.
Access of the NTUser.dat files was caused by a function in RTVScan which regularly checks all user defined scans in each users profile. As previously mentioned this function happens regardless of exceptions as it's not part of a scan.
Registry changes can be used to prevent RTVScan from checking user defined scan's which are detailed below. It's important to note that SEP12.1 changed the storage location of user scheduled scans out of the user registry and so doesn't have this issue.
The following was taken from an internal document I believe:
--------------
Cause
In the "MainTimer" function, RtvScan will regularlly check all users defined schedule scan which will hive related "ntuser.dat". This operation will consume CPU. As this server has several login user accounts, so this process will take quite long time and keep CPU high.
Solution
Try this workaround for SEP 11.0 RU6 or higher:
1. Add a “ScanStartupDelay” register key under
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\ProductControl], "ScanStartupDelay"=dword:7776000
2. Add a “DisableRTScheduledScanUpdate” register key under
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\ProductControl], " DisableRTScheduledScanUpdate "=dword: 00000001
3. Add a “ReloadRTScheduledScanHours” register key under
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\ProductControl], " ReloadRTScheduledScanHours "=dword: 00002160
(OBS: The values should be entered in decimal format. Also, the preceding zeroes on the numbers may be automatically truncated by the Registry Editor.)
4. Restart the rtvscan service or reboot the computer .
The same issue does not happen in SEP 12.1.Please update me once you have checked it so that we will close this case.
--------------
After getting this response and searching for specific terms from it I also found the following post which mentions the same issue and relates to the CPU usage:
https://www-secure.symantec.com/connect/ideas/ability-stop-sep-scanning-user-profiles-user-defined-scans-servers
I've tested the registry changes and they do appear to fix the issue, and so will act as a workaround until we upgrade SEP.
Thank's for all the replies here. The help/guidance was greatly appreciated.