Was this ever resolved?
I have the same problem although we have the exclusions in place as mentioned https://docs.splunk.com/Documentation/Splunk/7.1.1/ReleaseNotes/RunningSplunkalongsideWindowsantivirusproducts
This is the error we receive in ePO:
***VIOLATION: [7] ------- Violation Logged ---- Size 888 ----
SignatureID="1052"
SignatureName="Linux Agent Shielding - Module Access"
SeverityLevel="4"
Reaction="3"
ProcessUserName="bin"
Process="/opt/splunk/bin/splunkd"
IncidentTime="2018-12-05 18:59:26"
AllowEx="True"
SigRuleClass="UNIX_misc"
ProcessId="2"
Session="11497"
SigRuleDirective="killagent"/>
name="process chain" allowex="False">/usr/lib/systemd/systemd
name="process chain" allowex="False">/opt/splunk/bin/splunkd
name="process chain" allowex="False">/opt/splunk/bin/splunkd
name="process chain" allowex="False">/opt/splunk/bin/splunkd
name="uid" allowex="True">1002
name="pid" allowex="True">11497
name="signal" allowex="True">unknown
... View more