It is desired to see which processes are generating Tamper Protection events across the network in Symantec Endpoint Protection 12.1. What steps are needed to collect the SEP 12.1 Tamper Protection log from the Symantec Endpoint Protection Manager (SEPM)?
Steps to Collect the Tamper Protection (applications being blocked) from SEPM 12.1.x:
1) Select "Monitors" tab
2) Select Log Type as "Application and Device Control"
3) Select Log Content as "Application Control"
4) Select Advanced Settings
5) Select Event Type as "Tamper Protection"
6) Select Action as "Blocked"
Optional : Group as * for all the groups (default) or select the specified group. As same for Site, Domain, Server, Computer, IP address.
7) Select "View log"
Refer the screen shot below.