In the Risk logs under the User Name category some times it shows SYSTEM and some times it shows the user's login name.
My question is why?
Does the user name category indicate that the virus tried to run under that particular user name or does it mean that was the user that was logged in when the virus was caught? And how would SYSTEM show since you can't really login in as SYSTEM? At least are users wouldn't know how to obtain SYSTEM priviledges anyways....
I understand the System account will be displayed when there is no risk detected by scheduled , on demand scan.
Need to check.
when you create a scan there are two type, admin defined scan, which is run under system account, another is user defined scan which runs under user previlages.
which ever scan finds the virus, the user is tagged with that particular account....
Who creates the user defined scan? The only scan that we have is a weekly scheduled scan which was obviously created in the AV Policy under Admin defined scans
if you check the logs, then the user stammped will be from Auto protect scan
whoever is logged in at the time of scan...
https://www-secure.symantec.com/connect/forums/notification-emails-do-not-provide-correct-user-name
can you check if the scheduled scan detcted threat shows user logged in account and autprotect scan, quick scan shows SYSTEM account?
Scheduled scan shows username while Autoprotect shows SYSTEM
Seems to be the opposite in this case. Scheduled scan shows the user while AP shows SYSTEM
i wil try to run this on VM and get back to u on this.
scheduled or AP, if user is logged in it will be user name
if no one is logged in then it will be system.
That's what I was thinking at first but I do know that in the case of both detection methods, scheduled scan and autoprotect, the user was logged in both times.
expected as scheduled scan is defined by admin/user and when threat detects the it shows user logged in. AV is running with system account however the demand scans will trigger the user logged profile and displays the threat detcted while user logged in.
Auto protect is the services and is of system account so when threat is detected it is still running as SYSTEM account and hence it shows the threat detected as SYSTEM.
And that makes sense but to me this seems like a shortcoming.
Is it possible to get the username then when SYSTEM shows up? Possibly querying the DB for it?
not sure, if you can give a try .. make rtvscan.exe start as local log on i.e . open services.msc --> select symantec endpoint protection serverice and change the log on from SYSTEM to this user.