Event ID/Source search
Keyword searchExample: Windows cannot unload your registry file
Event ID: 45 Source: Symantec AntiVirus
|Source: Symantec AntiVirus|
SYMANTEC TAMPER PROTECTION ALERT
Target: C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Event Info: Suspend Thread
Action Taken: Blocked
Actor Process: D:\Program Files\UPHClean\uphclean.exe (PID <pid>)
Time: “<date> <time>”.
|English: This information is only available to subscribers. An example of English, please!|
Symantec Documend ID 2009022412404548 (see the link in the Links section) describes how to create exceptions or exclusions for tamper protection alerts that have already been logged.
This event is recorded when the antivirus "thinks" someone is trying to attack it. See Symantec Document IDs 313888, 288444, and 300375 for some examples.
I had more than 50 of these messages per second in my event log. I had no third party spy or ad removal software installed (Symantec suggested this might be the problem). For me, it was the Lenovo ThinkPad. After uninstalling the ThinkVantage Away Manager program, the problem was solved.
Symantec is investigating this problem to determine a solution. To work around the problem, exclude the Symantec processes from SMS or disable Tamper Protection.
To exclude the processes from SMS, create a text file named Skpswi.dat and place copies of it in the \Program Files\Symantec Antivirus and \Program Files\Common Files\Symantec Shared folders. The System Management Service (SMS) tries to access the Symantec processes as they start, first checking owner and version and then monitoring the process as it runs. SMS logs process activity in the file C:\WINDOWS\system32\CCM\Logs\mtrmgr.log. SMS will not scan any folder tree that contains a Skpswi.dat file.
To disable Tamper Protection:
1. Start Symantec AntiVirus.
2. On the Configure menu, click Tamper Protection.
3. Uncheck Enable Tamper Protection.
4. Click OK.
|Private comment: Subscribers only. See example of private comment|
|Links: Symantec Document ID: 313888, Symantec Document ID: 288444, Symantec Document ID: 300375, Symantec Documend ID: 2009022412404548|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (3) - More links...|
|Custom search for *****: Google - Bing - Microsoft - Yahoo|
Send comments or solutions
- Notify me when updated