Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Tamper Protection Scan Logs Filling Event Viewer

Created: 16 Apr 2014 • Updated: 17 Apr 2014 | 6 comments
This issue has been solved. See solution.

Currently running SEP 12.1 RU4.

On a few PCs, we are using LogMeIn for remote access.

On those PCs (all of which are XP), the Windows Application Event Viewer is filling up every hour (each scan) with more scan results.

The results point to the logs in C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Logs\AV

Each hour the scan picks up on all of the logs, including the one from the previous hour, so PCs that have had this scan running hourly for months have hundreds of logs, each one being placed into Event Viewer on the hour. 

In SEPM we have set "When a commercial remote control application is detected:" to Ignore.

This is an example from Event Viewer:

Scan type: Tamper Protection Scan
Event: Tamper Protection Detection
Security risk detected: C:\PROGRAM FILES\LOGMEIN\X86\LOGMEIN.EXE
File: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Logs\AV\06062013.Log
Location: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Logs\AV
Computer: *
User: SYSTEM
Action taken: Leave Alone
Date found: Wednesday, April 16, 2014  2:15:38 PM

Is there any way to prevent the Tamper Protection Scans from picking up on LogMeIn completely?

Thank you for reading.

Operating Systems:

Comments 6 CommentsJump to latest comment

.Brian's picture

Create an exclusion for it, see this link on how to:

Creating a Tamper Protection exception

setting "When a commercial remote control application is detected:" to Ignore is completely separate in this case and won't have an affect on tamper protection alerts.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SOLUTION
mbrii's picture

Thank you _Brian, I added the exception and will report back with my results.

.Brian's picture

Sounds great :) let me know how it goes!

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

mbrii's picture

That did it!

We had tried setting SEP to ignore the file location, but had set the Exception Type as Application Exception. After creating the exception with Exception Type set to Tamper Protection File the logs stopped on all clients within a couple hours.

Thanks _Brian!

.Brian's picture

Awesome! glad it worked :)

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

mbrii's picture

That did it!

We had tried setting SEP to ignore the file location, but had set the Exception Type as Application Exception. After creating the exception with Exception Type set to Tamper Protection File the logs stopped on all clients within a couple hours.

Thanks _Brian!

Apologies, duplicate post.