rtvscan.exe is the active component for real-time AV scanning and in-process memory scanning...  It will access files as the OS access them to read them, ensure they are not malicious, and then pass it off to the OS.  

It would seem to me, you need to alter your alerting system to exempt out this exe, as it's going to access just about everything on your server.

We've got 300+ Server 2003 systems and they do not cause this. I was hoping someone with RU5 experience on Server 2008 R2 would chime in. This was a simple base install. Ran the CD's, patched it and installed AV. It gets the same group policies as all other servers, yet something different is happening.

While we did take it out of the alerting system, the Security event log is chock full of these things and we don't understand why.

Ray

an auditing policy, is there a possiblity one was accidently or on purpose set to this machine?

Open local group policy object by using gpmc or adding the snapin for mmc

Check Local Policies\Audit Policy and see if there are any folder audits..or perhaps file audit of rtvscan...

Steve

Sorry about suggesting the obvious first :-)

No problem. We're "obviously" missing something here because auditing is supposed to be turned off by default. I'll let you know.

Ray

I am also seeing this only on my 2008 servers. I have had audit policies on since I started at my current job and these audit errors were never an issue before. I would prefer to keep my audit policies on but would like these messages to go away. I am unclear if the virus scan is working properly when I get these messages, and it appears that there is one for about every file it scans. These must be some type of conflict. If I turn off my auditing, I will never see valid audit failures.

My group policy setting apply to all of my servers, so you are suggesting that I turn this off on my entire domain. I don't want to do that. Is that the only option?

Thanks!
Annette

You could try- this is for aehrlich; create a user with sufficient priviledges to run Symantec and it's services as an account. 
Once this is done, you should be able to assign that user to the services in question.

Upon doing that, you could modify your audit policy to exempt that specific user. 

If that specific users accesses are not being audited, you should be exempt from receiving a notification from each event. 

You can either do it with a domain account or local.  Should this turn out ot be a bug, at least you would have that user for any other Server 2008 machines encountering the same problem until it is resolved. 

You should also document this, so that should you require changing it back or performing this again, you would remember why it was done.

Just my 2 cents...

Are there any Server 2008 R2 users NOT seeing this issue? It seems to be a behavior change in either 2008 R2 or RU5.

Ray

Did you ever find a fix for this? We are seeing the same thing. We need auditing to be on as we monitor security relavant objects, but it's also logging stuff we don't need. We're also see "buzillions" of 4624 and 4634 event logs that are unnecessary (service accounts, network shares, etc). But we need those event IDs for the user actions.

Nope.

Happens on Server 2008R2 and Win 7. We need a real solution, not manually creating a user account to run the services, especially when there are many systems involved.

Get granular.

dump your audit policy

auditpol.exe /backup /file:currentpol.inf

look for the offending policy, in my case it was:

SERVERNAME,System,Other Object Access Events,{0CCE9227-69AE-11D9-BED3-505054503030},Success,,1

depending on your local/group policies you may see sucess and failures.  

to disable this, change that line to read like:

SERVERNAME,System,Other Object Access Events,{0CCE9227-69AE-11D9-BED3-505054503030},No Auditing,,0

save the file as audit-new.inf

load the policy - 

auditpol /restore /file:audit-new.inf

you should no longer see these events being tracked in the sec log.  If this has been enabled by a GPO from a 2003 domain please refer to the following : 

http://support.microsoft.com/kb/921469