I’m trying to figure out why the besclient.exe is frequently attempting to access/modify/scan/etc. some of the Symantec Endpoint Protection processes. My SEP tamper protection log is full of these entries were some action was blocked, but I cannot find what that action was.
I’ve looked through our Analyses, fixlets and baselines and can’t find anything that’s attempting to pull information from or about SEP.
I don’t want to apply an exception in SEP just yet, I’d like to figure out what it’s doing first.
I’m not seeing where that information is presented, accessible, or configured. We only use the patch management feature, do not have inventory or other components.
There is no analysis configured I could find that would pull the information either.
Any analysis, property, or fixlet including one that lists the running processes on the system may be enough for Symantec to flag. This includes something as simple as a fixlet checking processes on the system to make sure a process isnt running before running an update.
@shawna Please see the Real Time AV Exclusions documentation at https://help.hcltechsw.com/bigfix/9.5/platform/Platform/Config/c_real_time_av.html for more information regarding this topic. SEP can see the normal content evaluation activities of BigFix as potentially questionable since it is reading registry keys, files, etc… something most applications do not do but is expected for a product like BigFix (this is what it does). My guess, it could be some of the AV analyses trying to obtain info such as engine/dat versions, process status, or you have the client configured to track application usage and it is trying to obtain info on the SEP processes.