Tamper protection - how to manage alerts and what to do about them?

Hi all,

I've started upgrading our clients to 12.1.3 SEP from 11.x. The new policy has pretty much everything turned on and at default levels (with minor tweaks.)

We've now begun getting lots of tamper protection alerts from the newly upgraded machines. Things touching the SEP registry keys and executables. Lots of random apps are doing this such as:

C:\WINDOWS\SYSTEM32\WERFAULT.EXE

C:\PROGRAM FILES (X86)\SYSTEM CENTER OPERATIONS MANAGER 2007\HEALTHSERVICE.EXE

C:\WINDOWS\CCM\CCMEXEC.EXE

C:\PROGRAM FILES (X86)\VMWARE\VMWARE WORKSTATION\VNETLIB64.EXE

Most of them are trying to interfear with:

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\ccSvcHst.exe

or

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin64\Smc.exe

The VMware one touched all of the registry keys for SEP, the others were pointing towards the SEP EXE's.

Now, there are ooodles of articles, blogs and forum posts suggesting to add exceptions and telling everyone and their dog how to do it.... but I've not come across an article saying WHY I should do it. Now, Symantec put this in for a reason, so I'm not about to blindly turn it off just because someone came knocking at the door!

I've already come across a "fake AV" drive-by download that did successfully kill SEP (11.x). (Thankfully the end-user called us about it!!! I logged it w/Symantec and they now block it, by the way.)

Symantec seem to be very good at putting out detailed documentation on what a feature does, just not much at an operational level on how to best use it. What I'd love to see is an operational manual from Symantec on what to check on a daily basis; how to handle the various types of threats (what to ignore and when to leap from your chair and pull the network cable from a PC.) I know they have a massive two week course that costs 10's of thousands of dollars to attend. Not every company can afford or is large enough to see the benefit in sending staff on that. Something inbetween would be nice. (Yes, I asked our account rep, and he just pointed us at the course and said there's nothing else he could find.)

Any help will be greatly appreceiated.

Cheers,

Steve