I'm experiancing a problem on my v.6.x windows kernel based systems (Windows 7 an Windows 2008R2) where excessive security logs are being generated.
I've configured the following:
Symantec Endpoint Protection 12 installed
Windows 2003 Active Directory Domain
Group Policy configured to set "failed audit attempts" on %AllUsersProfile%\Symantec
Windows Auditing configured to log changes to audit policy
Problem:
It appears that the File System security settings defined in the GPO are being continually reapplied files and folders in the C:\ProgramData\Symantec folder structure.
The log message is Event ID 4907: "Audit Settings on Object Have Changed"
This is not being logged on Windows 2003 Server and Windows XP systems.
For no more than 10 systems, I'm getting over 250 of these notifications in a week for each file and folder in the ProgramData\Symantec directory tree. The Symantec root folder itself is getting over 1000 entries.
I've got the same audit policy set for several other directory structures in C:\Windows and C:\Program Files that are not behaving this way.
Any ideas?
-Dan