Video Screencast Help

SYSTEM Username in Risk logs

Created: 20 Sep 2012 | 17 comments

Our risk log indicates SYSTEM as username for risks detected. We noticed that it was found on manual scan, scheduled scan and auto-protect detections.

What condition does the username SYSTEM appears during these detections?

Comments 17 CommentsJump to latest comment

xdnox's picture

Hi Ashish,

expected as scheduled scan is defined by admin/user and when threat detects the it shows user logged in. AV is running with system account however the demand scans will trigger the user logged profile and displays the threat detcted while user logged in.

Auto protect is the services and is of system account so when threat is detected it is still running as SYSTEM account and hence it shows the threat detected as SYSTEM.

 

The thread somehow did not clarify the following from our logs:

1. Manual scan (demand scan) shows SYSTEM when such scans should be triggered by a logged on user. Other detections on my logs shows the various usernames.

2. Schedule scan detections shows various usernames and SYSTEM.

3. Auto-protect detections also various usernames and SYSTEM.

Is there a condition on which the SYSTEM username reflected on the logs and not the user who is logged in?

 

 

Ashish-Sharma's picture

HI,

What sepm version are you using ?

Thanks In Advance

Ashish Sharma

 

 

Ashish-Sharma's picture

Symantec Endpoint Protection detected Risks while you were logged out," but there is nothing in the risk log

Fix ID: 2529730
Symptom: A user configures a scheduled scan, and then logs off. The scan runs while the user is logged off. When the user logs in, the message "Symantec Endpoint Protection detected risks while you were logged out" is displayed. The risk log does not contain any new risks.
Solution: When a user-defined scan runs when a user is logged off, that scan runs with local system privileges. Risks may be detected that the user would not normally have access to view. SEP was modified to only show the alert message to users with administrator privileges

Thanks In Advance

Ashish Sharma

 

 

xdnox's picture

Hi Ashish,

Thank you but I do not think this will apply on my case. We do have the detection logs but we could seem to know why SYSTEM username is reflected and what circumstances that it happens.

 

 

.Brian's picture

From what I've seen:

If no one is logged in, SYSTEM will show in logs.

If someone is logged in, they will show in logs.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

xdnox's picture

Hi Pete,

Below sample from the risk logs (less some columns):

Event Source Risk Name File Path User Name
Virus found Auto-Protect scan W32.Downadup!autorun F:\autorun.inf SYSTEM
Virus found Auto-Protect scan W32.Imaut.AS G:\Hall Of Fame\Hall Of Fame.exe SYSTEM
Virus found Auto-Protect scan W32.Downadup!autorun F:\autorun.inf SYSTEM
Virus found Auto-Protect scan Backdoor.Graybird H:\Recycled.scr SYSTEM
Virus found Auto-Protect scan Trojan.Gen E:\Games\GAME\Link.exe SYSTEM
Virus found Manual Scan W32.Imaut.AA f:\RECYCLER\RECYCLER.exe SYSTEM
Virus found Scheduled scan W32.Pilleuz f:\winamp_cache_0001\ehthumbs.exe SYSTEM

 

Ashish-Sharma's picture

HI,

If some one not logged - System account showing in risk log.

Because Symantec services will be run system account

Thanks In Advance

Ashish Sharma

 

 

xdnox's picture

Hi Ashish,

I would likey agree with you on this during scheduled scan and no one is logged in to the machine that would show as SYSTEM.

But cases were the detection was from Auto-Protect and Manual scan and the username is SYSTEM,  are there circumstances that no user is logged in but SEP client triggers a detection from a manual or auto-protect scan?

As my logs are showing such cases, I just wanted to confirm if I also have interpreted them correctly.

Thank you.

 

Chetan Savade's picture

Hi,

If process is initiated from the system itself then it will be logged as a SYSTEM. There are many processes which will be initiated by system itself.

If process is initiated by any user then that particular username will be logged.

Screenshot is attached to the reference.

 

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

xdnox's picture

Hi Chetan,

Below are sample of my detections in my risk logs (less other columns). Our environment is strictly only C: local drive. All of these detections are from external hard drives.

I believe below are not system processes and auto-scan are triggered only once file is accessed. Manual scan can only be trigger with logged on user. Did I missed anything?

Event Source Risk Name File Path User Name
Virus found Auto-Protect scan W32.Downadup!autorun F:\autorun.inf SYSTEM
Virus found Auto-Protect scan W32.Imaut.AS G:\Hall Of Fame\Hall Of Fame.exe SYSTEM
Virus found Auto-Protect scan W32.Downadup!autorun F:\autorun.inf SYSTEM
Virus found Auto-Protect scan Backdoor.Graybird H:\Recycled.scr SYSTEM
Virus found Auto-Protect scan Trojan.Gen E:\Games\GAME\Link.exe SYSTEM
Virus found Manual Scan W32.Imaut.AA f:\RECYCLER\RECYCLER.exe SYSTEM

 

.Brian's picture

You can initiate a manual scan from SEPM so the user doesn't have to be logged in.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Chetan Savade's picture

Hi,

I think auto run is enabled.

If auto run is enabled then it auto execute itself & at that time Symantec detects it.

It exectues itself using system account.

Make sure you follow Symantec best practice guide to protect the network.

http://www.symantec.com/docs/TECH105236

Microsoft KB articles to disable Autorun

http://support.microsoft.com/kb/967715

SEP 12.1 onwards auto run is by default disabled.

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Ashish-Sharma's picture

hi,

Some service are depend on system account. if anyone runing this services showing system name.

 

Thanks In Advance

Ashish Sharma