6 Replies Latest reply on Jul 13, 2009 2:01 PM by tjwreds

    Can't seem to find the policy creating this event

      Hello all,
      I've been asked by our Security Rep to tune out the following rule.
      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      ePolicy Orchestrator Notification
      Rule: Access Protection Violation
      Rule Defined At: Directory
      Rule Description: Access Protection rule violation detected and NOT blocked

      Number of events: 1
      Source computer IP addresses: Not Available

      Computer Name: %Serverinquestion%
      Source Name: Not Available
      Affected Objects: C:\Program Files\VMware\VMware Tools\VMwareUser.exe Actual Products: VirusScan Actual threat names: Virtual Machine Protection:Prevent Termination of VMWare Processes Actual products: VirusScan

      \??\C:\WINDOWS\system32\csrss.exe
      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      Where %serverinquestion% is a VM running on a ESX host. I go to Systems | Policy Catalog | Product: VirusScan Enterprise 8.5 (I've already confirmed 8.5 is on the offending server) | Catagory: Access Protection Policies. I've checked each policy there for both "Workstation" and "Server" and cannot find this policy.

      Does anyone know what I'm doing wrong, or how to find this policy/rule?

      Thanks in advance,
      tjwreds :confused: