If Symantec Endpoint Protection (SEP) is installed on an agent, many processes access files by the file ID instead of the file path. Due to this behavior, you may notice many PFIL events when SEP is installed in a Domain Controller.
The events occur as the processes try to access the Domain Controller data that is specified as No-Access data in the Domain Controller policy. These PFIL events indicate that SEP is not functioning properly when access to files by file ID is blocked by the policy rules.
The 6.0 Windows policy contains the following two changes to allow SEP to function properly and to prevent the PFIL events from occurring on a Domain Controller where SEP is installed.
Hardening a Domain Controller without SEP installed: If you do not have SEP installed on a Domain Controller and want to harden the Domain Controller based on the rules in the policy prior to the above changes, you can undo the above changes by editing the policy rules: