Thought I would run this by the forum before I contacted support. We're running SEP Small Business 12.1 with the management component on an SBS 2011 Essentials Server and managed agents on Windows 7 Pro x86 and XP Pro machines. We've been getting a number of tamper protection alerts from a number of known good programs on all of the clients.

So a few questions:

1. What is really happening when Tamper Protection blocks a program? Clearly these other programs aren't trying to shutdown SEP (for example one is the Synaptics driver on a laptop), so why are we getting alerted?
2. Is it safe to turn off the notifications and allow Tamper Protection to continue blocking? Or are we going to run into problems with SEP blocking something, which breaks something.
3. When I add these programs to the Tamper Protection exclusion list on the server, it doesn't seem to do anything. Clients are still being notified even if the program is on the list.
4. If Tamper Protection is really important, then why is the default setting in the default policy "Log the Event Only" and not "Block it and Log the Event".

I guess what I'm hoping for is some "best practices" advice for using Tamper Protection.

Thanks in advance.

Alex

1)some times there will be few false positivies too; 

A best practice when you initially use Symantec Endpoint Protection Small Business Edition is to use the action Log the event only while you monitor the logs once a week. When you are comfortable that you see no false positives, then set Tamper Protection to Block it and log the event.

Configuring Tamper Protection

http://www.symantec.com/business/support/index?page=content&id=HOWTO27623&actp=search&viewlocale=en_US&searchid=1312130531518

Changing Tamper Protection settings

http://www.symantec.com/business/support/index?page=content&id=HOWTO55266&actp=search&viewlocale=en_US&searchid=1312130561837

About Tamper Protection

http://www.symantec.com/business/support/index?page=content&id=HOWTO55267&actp=search&viewlocale=en_US&searchid=1312130581804

Thanks for the responses. I'll call Support and find out why the exclusions don't seem to be excluding. And I'm still not exaclty sure what happens when tamper protection blocks a program, but perhaps Support will be able to better explain that.

-Alex

Jackrabbit, have you gotten any good answers? I've been having the same problem. One application (a backup agent) triggers CONSTANTLY (batches of 2-5, every few minutes). I have the file in an exclusion, and it's just not working. I've tried it with the shortcut and with the full drive letter path, and neither seems to help.

It feels silly turning off a feature within a day of getting the new software, but something is clearly broken with the exception, and I don't know what else to do.