Hi Guys,
I have "Object Access" enabled in my audit and I noticed that my security logs are filling up with failure audits with event id 560 pointing to ObjectName LiveUpdate. It seems to be a permissions issue as this only occurs on non-admin users. I tried giving modify permissions to c:\program files\symantec\ and c:\windows\system32 but am still getting these failure audits. I have SEP installed on these machines. Any idea on how to stop these without disabling "Object Access" in my security audit?
Below are the details of the failure audit, I've removed info like computer names, user, domain, etc.:
Object Open:
Object Server: SC Manager
Object Type: SERVICE OBJECT
Object Name: LiveUpdate
Handle ID: -
Operation ID: {0,69779488}
Process ID: 1000
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name:
Primary Domain:
Primary Logon ID: (0x0,0x3E7)
Client User Name:
Client Domain:
Client Logon ID: (0x0,0x271A6A3)
Accesses: Query service configuration information
Set service configuration information
Query status of service
Privileges: -
Restricted Sid Count: 0