I have approxmiately 160 CSA agents on (mainly) laptop clients. I receive a large number of email notifications stating the following each day:
The process 'C:\WINDOWS\system32\svchost.exe' (as user NT AUTHORITY\SYSTEM) attempted to modify a Cisco Security Agent resource Cisco process C:\Program Files\Cisco operation was denied.
I've no doubt it's benign activity because it is detected on freshly ghosted/patched machines shortly after CSA is installed and the laptop is given to a user. However, I haven't been able to get any good feedback from my users which might indicate what they were/their systems were doing at about the time these events were logged.
Does anyone have any insight into what Windows XP-based activity would result in so many of these svchost.exe events? I would appreciate any feedback.