Endpoint Protection

SEP 12.1.1000.157 RU1.

client is getting a lot of event id 45 in the application log:

SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe

Event Info: Open Process

ActionTaken: Logged

Actor Process: C:\PROGRAM FILES\EMC\HOSTAGENT\HOSTAGENT.EXE (PID 3520)

Time: Wednesday, December 05, 2012 9:42:31 AM

Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe

Event Info: Open Process

ActionTaken: Logged

Actor Process: C:\PROGRAM FILES\AVS\BIN\AVAGENT.EXE (PID 2204)

i assumed i was supposed to create tamper exceptions for the actor processes. i have done so, annd applied them to this client (and others):

%[PROGRAM FILES]%AVS\BIN\AVAGENT.EXE
%[PROGRAM FILES]%EMC\HOSTAGENT\HOSTAGENT.EXE

(and even for grins, put the explicit path to avagent.exe)
C:\PROGRAM FILES\AVS\BIN\AVAGENT.EXE

yet the event ID 45 events persist. i don't think this tamper protection is actually doing anything other than logging (a lot of) event id 45. am i wrong to expect the tamper exceptions to stop these events?

Check this KB article:

https://www.symantec.com/business/support/index?page=content&id=TECH178526

thanks Brian. the behavior has persisted through a few reboots of both the client and the sep management server. from your link i checked the http://www.symantec.com/business/support/index?page=content&id=TECH171057 link. i'm not sure if we've installed "maintenance patch 1" yet, i'm not the primary symantec guy. can i tell from my help/about version number:

SEP 12.1.1000.157 RU1

You're currently on RU1.

You can go straight to RU2 which just came out a few weeks ago.

There was a fix for tamper protection expections not being honored in the RU1 MP1 release, you are currently on the release previous to this. The latest RU2 release will include this fix and would recommend upgrading to this build. Below is the fix ID for this in RU1 MP1.