SEP 12.1.1000.157 RU1.
client is getting a lot of event id 45 in the application log:
SYMANTEC TAMPER PROTECTION ALERT
Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe
Event Info: Open Process
ActionTaken: Logged
Actor Process: C:\PROGRAM FILES\EMC\HOSTAGENT\HOSTAGENT.EXE (PID 3520)
Time: Wednesday, December 05, 2012 9:42:31 AM
Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe
Event Info: Open Process
ActionTaken: Logged
Actor Process: C:\PROGRAM FILES\AVS\BIN\AVAGENT.EXE (PID 2204)
i assumed i was supposed to create tamper exceptions for the actor processes. i have done so, annd applied them to this client (and others):
%[PROGRAM FILES]%AVS\BIN\AVAGENT.EXE
%[PROGRAM FILES]%EMC\HOSTAGENT\HOSTAGENT.EXE
(and even for grins, put the explicit path to avagent.exe)
C:\PROGRAM FILES\AVS\BIN\AVAGENT.EXE
yet the event ID 45 events persist. i don't think this tamper protection is actually doing anything other than logging (a lot of) event id 45. am i wrong to expect the tamper exceptions to stop these events?