Video Screencast Help

Endpoint Protection creates Audit Failures EventID 4656

Created: 17 Apr 2013 | 3 comments

I'm having a problem with Endpoint Protection 12.1.2015.2015 creating over 100,000 Audit Failure Security logs, EventID 4656, when doing a full scan. The security log was 205 MB after a scan of only C:\Windows; it didn't include audited folders anywhere else on the computer.

Because of the security requiments I need to follow, I have Failure Auditing enabled for almost everything in C:\Windows, and some other folders. I found the Symantec article below, but that turns off Handle Manipulation auditing, which seems to turn off all file and folder auditing, which isn't acceptible.

A couple of questions:

When this does a scan, why does it try to open files with WriteData, AppendData, WriteEA and WriteAttributes? Shouldn't a scan only be reading the file unless a virus or malware is found?

Why does it run under the account of the logged on user rather than Local System (which is what all the Symantec services are setup with)? I even tried a scheduled scan (with a user logged on) and it ran under the user account. If it ran under the account configured in the service I don't think this would be a problem since that account has full control.

Is there a way to fix this?

Operating Systems:

Comments 3 CommentsJump to latest comment

Rafeeq's picture

if the scan is scheduled from SEPM it willl run under system account

if the scan is created by a user , it willl run under logged on user account.

jamesrob04's picture

I have the exact same issue, an answer on this would be great. SameerU, I followed your link it that article doesn't help at all, that article talks abour scans not starting on time.