Recurring Symantec Endpoint Protection Tamper Alerts for besclient.exe

Apologies if I selected the wrong category.

I’m trying to figure out why the besclient.exe is frequently attempting to access/modify/scan/etc. some of the Symantec Endpoint Protection processes. My SEP tamper protection log is full of these entries were some action was blocked, but I cannot find what that action was.

I’ve looked through our Analyses, fixlets and baselines and can’t find anything that’s attempting to pull information from or about SEP.

I don’t want to apply an exception in SEP just yet, I’d like to figure out what it’s doing first.


Suggest adding a SEP exclusion for the folders of Bigfix components like root server, relays, and clients.

Bigfix will attempt to identify and inventory the installed software including SEP.

1 Like

Where is BigFix configured to inventory SEP though? Can’t I just disable that instead of excluding it from SEP?

The only product we have is the Patch management.

It isn’t specific to SEP. Bigfix by default inventories all installed and registered software.

I’m not seeing where that information is presented, accessible, or configured. We only use the patch management feature, do not have inventory or other components.

There is no analysis configured I could find that would pull the information either.

Any analysis, property, or fixlet including one that lists the running processes on the system may be enough for Symantec to flag. This includes something as simple as a fixlet checking processes on the system to make sure a process isnt running before running an update.

@shawna Please see the Real Time AV Exclusions documentation at for more information regarding this topic. SEP can see the normal content evaluation activities of BigFix as potentially questionable since it is reading registry keys, files, etc… something most applications do not do but is expected for a product like BigFix (this is what it does). My guess, it could be some of the AV analyses trying to obtain info such as engine/dat versions, process status, or you have the client configured to track application usage and it is trying to obtain info on the SEP processes.