Why do some Exceptions still come up in my Logs ?
I've created a control policy to monitor my system32 directory (modify only) and an independant 'test' directory (read and modify)
I got an onslaught of entries everytime SEP did an update so I added all those processes to the centralised exceptions policy. I also added some other processes to the centralised exceptions policy that I know are standard OS activities....... However there has been a couple of exceptions
1) SEP's local Rtvscan.exe process which is already in my centralised exceptions still comes up in the log entries when assumably scanning my test directory.
2) the c:/windows/system32/spoolsv.exe process writes to the system32/spool directory every hour and again is logged even though I have got that very same process as an exception in the centralised policy it is using, has got the spool directory to be ignored also in the centralised policy and have also added the spool directory to the files and folders exceptions list in the actual cotnrol policy aswell.