Windows application event log shows a "Tamper Protection Alert" with Event ID 45.
The target is the "luall.exe" and the actor process is "SAVFMSELive.exe".
SYMANTEC TAMPER PROTECTION ALERT
Target: C:\Program Files\Symantec\LiveUpdate\LUALL.EXE
Event Info: Terminate Process
Action Taken: Logged
Actor Process: C:\Program Files\Symantec\SMSMSE\6.5\Server\SAVFMSELive.exe (PID 8252)
Time: Day, Date Time
Symantec Mail Security for Microsoft Exchange (SMSMSE) is accessing LiveUpdate. The Symantec Endpoint Protection client is recognizing the process.
In order to prevent these messages, SEP's Tamper Protection can now be configured with exclusions. Or to be more accurate, processes can be excluded from Tamper Protection in the new Centralized Exceptions feature.