How to collect the Tamper Protection log from Symantec Endpoint Protection Manager in Symantec Endpoint Protection 12.1

book

Article ID: 155991

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

It is desired to see which processes are generating Tamper Protection events across the network in Symantec Endpoint Protection 12.1. What steps are needed to collect the SEP 12.1 Tamper Protection log from the Symantec Endpoint Protection Manager (SEPM)?

Resolution

Steps to Collect the Tamper Protection (applications being blocked) from SEPM 12.1.x:


1) Select "Monitors" tab
2) Select Log Type as "Application and Device Control"
3) Select Log Content as "Application Control"
4) Select Advanced Settings
5) Select Event Type as "Tamper Protection"
6) Select Action as "Blocked"

Optional : Group as * for all the groups (default) or select the specified group. As same for Site, Domain, Server, Computer, IP address.

7) Select "View log"

Refer the screen shot below.


Attachments