Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 45 Source: SymantecAntiVirus

Level
Description
SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Event Info:Suspend Thread
Action Taken:Blocked
Actor Process:D:\Program Files\UPHClean\uphclean.exe (PID <pid>)
Time:<date> <time>.
Comments
 
Symantec Documend ID 2009022412404548 (see the link in the Links section) describes how to create exceptions or exclusions for tamper protection alerts that have already been logged.
This event is recorded when the antivirus "thinks" someone is trying to attack it. See Symantec Document IDs 313888, 288444, and 300375 for some examples.
I had more than 50 of these messages per second in my event log. I had no third party spy or ad removal software installed (Symantec suggested this might be the problem). For me, it was the Lenovo ThinkPad. After uninstalling the ThinkVantage Away Manager program, the problem was solved.
Symantec is investigating this problem to determine a solution. To work around the problem, exclude the Symantec processes from SMS or disable Tamper Protection.

To exclude the processes from SMS, create a text file named Skpswi.dat and place copies of it in the \Program Files\Symantec Antivirus and \Program Files\Common Files\Symantec Shared folders. The System Management Service (SMS) tries to access the Symantec processes as they start, first checking owner and version and then monitoring the process as it runs. SMS logs process activity in the file C:\WINDOWS\system32\CCM\Logs\mtrmgr.log. SMS will not scan any folder tree that contains a Skpswi.dat file.

To disable Tamper Protection:
1. Start Symantec AntiVirus.
2. On the Configure menu, click Tamper Protection.
3. Uncheck Enable Tamper Protection.
4. Click OK.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...