SYSTEM account in SEP Risk Logs
Created: 11 Feb 2011 | 12 comments
In the Risk logs under the User Name category some times it shows SYSTEM and some times it shows the user's login name.
My question is why?
Does the user name category indicate that the virus tried to run under that particular user name or does it mean that was the user that was logged in when the virus was caught? And how would SYSTEM show since you can't really login in as SYSTEM? At least are users wouldn't know how to obtain SYSTEM priviledges anyways....
Discussion Filed Under:
Comments 12 Comments • Jump to latest comment
I understand the System account will be displayed when there is no risk detected by scheduled , on demand scan.
Need to check.
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
when you create a scan there are two type, admin defined scan, which is run under system account, another is user defined scan which runs under user previlages.
which ever scan finds the virus, the user is tagged with that particular account....
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
Who creates the user defined scan? The only scan that we have is a weekly scheduled scan which was obviously created in the AV Policy under Admin defined scans
SEP Knowledge Base
Endpoint SWAT
can you check if the scheduled scan detcted threat shows user logged in account and autprotect scan, quick scan shows SYSTEM account?
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Scheduled scan shows username while Autoprotect shows SYSTEM
SEP Knowledge Base
Endpoint SWAT
if you check the logs, then the user stammped will be from Auto protect scan
whoever is logged in at the time of scan...
https://www-secure.symantec.com/connect/forums/notification-emails-do-not-provide-correct-user-name
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
Seems to be the opposite in this case. Scheduled scan shows the user while AP shows SYSTEM
SEP Knowledge Base
Endpoint SWAT
i wil try to run this on VM and get back to u on this.
scheduled or AP, if user is logged in it will be user name
if no one is logged in then it will be system.
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
That's what I was thinking at first but I do know that in the case of both detection methods, scheduled scan and autoprotect, the user was logged in both times.
SEP Knowledge Base
Endpoint SWAT
expected as scheduled scan is defined by admin/user and when threat detects the it shows user logged in. AV is running with system account however the demand scans will trigger the user logged profile and displays the threat detcted while user logged in.
Auto protect is the services and is of system account so when threat is detected it is still running as SYSTEM account and hence it shows the threat detected as SYSTEM.
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
And that makes sense but to me this seems like a shortcoming.
Is it possible to get the username then when SYSTEM shows up? Possibly querying the DB for it?
SEP Knowledge Base
Endpoint SWAT
not sure, if you can give a try .. make rtvscan.exe start as local log on i.e . open services.msc --> select symantec endpoint protection serverice and change the log on from SYSTEM to this user.
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Would you like to reply?
Login or Register to post your comment.