Video Screencast Help

SYSTEM account in SEP Risk Logs

Created: 11 Feb 2011 | 12 comments
.Brian's picture

In the Risk logs under the User Name category some times it shows SYSTEM and some times it shows the user's login name.

My question is why?

Does the user name category indicate that the virus tried to run under that particular user name or does it mean that was the user that was logged in when the virus was caught? And how would SYSTEM show since you can't really login in as SYSTEM? At least are users wouldn't know how to obtain SYSTEM priviledges anyways....

Comments 12 CommentsJump to latest comment

pete_4u2002's picture

I understand the System account will be displayed when there is no risk detected by scheduled , on demand scan.

Need to check.

Rafeeq's picture

when you create a scan there are two type, admin defined scan, which is run under system account, another is user defined scan which runs under user previlages.

which ever scan finds the virus, the user is tagged with that particular account....

.Brian's picture

Who creates the user defined scan? The only scan that we have is a weekly scheduled scan which was obviously created in the AV Policy under Admin defined scans

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

pete_4u2002's picture

can you check if the scheduled scan detcted threat shows user logged in account and autprotect scan, quick scan shows SYSTEM account?

.Brian's picture

Scheduled scan shows username while Autoprotect shows SYSTEM

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

if you check the logs, then the user stammped will be from Auto protect scan

whoever is logged in at the time of scan...

 

https://www-secure.symantec.com/connect/forums/notification-emails-do-not-provide-correct-user-name

.Brian's picture

Seems to be the opposite in this case. Scheduled scan shows the user while AP shows SYSTEM

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

i wil try to run this on VM and get back to u on this.

scheduled or AP, if user is logged in it will be user name

if no one is logged in then it will be system.

.Brian's picture

That's what I was thinking at first but I do know that in the case of both detection methods, scheduled scan and autoprotect, the user was logged in both times.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

pete_4u2002's picture

expected as scheduled scan is defined by admin/user and when threat detects the it shows user logged in. AV is running with system account however the demand scans will trigger the user logged profile and displays the threat detcted while user logged in.

Auto protect is the services and is of system account so when threat is detected it is still running as SYSTEM account and hence it shows the threat detected as SYSTEM.

.Brian's picture

And that makes sense but to me this seems like a shortcoming.

Is it possible to get the username then when SYSTEM shows up? Possibly querying the DB for it?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

pete_4u2002's picture

not sure, if you can give a try .. make rtvscan.exe start as local log on i.e . open services.msc --> select symantec endpoint protection serverice and change the log on from SYSTEM to this user.