There was a time when I could remember what the Symantec antivirus acronyms were - life was simpler with SAVCE (Symantec Anti Virus Corporate Edition) and even SMSMSE (Symantec Mail Security for Microsoft Exchange). Now we've got SEP which doesn't remind you of an AV connection, worse still with the current version its SEP11 which just says its all coming crashing down. Then the latest Symantec Information Foundation Mail Security for Microsoft Exchange which just trips off the tongue, even the acronym SIFMSMSE is longer than most competitors' product names.
Anyway to the point. I've had an SBS2003R2 server running SEP 11.0 MR2 (I'm not even going to go there with the rest of the acronyms, but it was pre MP too) and SIFMSMSE 6.0.6 generating daily warnings in the Event Viewer which were making it into the SBS 6am daily monitoring report. The daily report didn't actually show much other than the source was Symantec AntiVirus. Taking a look in the Event Viewer shows Event ID 45 and screams SYMANTEC TAMPER PROTECTION ALERT. Turns out its Symantec's own product, the SIFMSMSE server which happily lives in the old SMSMSE directory.
Long story short, you can tell the antivirus to stop worrying about Symantec playing with itself (yes there was probably a more popular blog title in that) by going into SEP Console > Policies > Centralized Exceptions > right-click on the policy and choose Edit. Click Centralized Exceptions and add a Tamper Protection Exception for
with an action of ignore.
All quiet on the front now.
PS I do like Symantec products - one of the few - always worked well for me, although the complexity and management from an SBS point of view seems to be increasing significantly. Reminds me of the old MacAfee which just got too complex to manage quickly and easily for a small business - haven't touched that since.