Hi Ashish,

expected as scheduled scan is defined by admin/user and when threat detects the it shows user logged in. AV is running with system account however the demand scans will trigger the user logged profile and displays the threat detcted while user logged in.

Auto protect is the services and is of system account so when threat is detected it is still running as SYSTEM account and hence it shows the threat detected as SYSTEM.

The thread somehow did not clarify the following from our logs:

1. Manual scan (demand scan) shows SYSTEM when such scans should be triggered by a logged on user. Other detections on my logs shows the various usernames.

2. Schedule scan detections shows various usernames and SYSTEM.

3. Auto-protect detections also various usernames and SYSTEM.

Is there a condition on which the SYSTEM username reflected on the logs and not the user who is logged in?

11 ru7

Hi Ashish,

Thank you but I do not think this will apply on my case. We do have the detection logs but we could seem to know why SYSTEM username is reflected and what circumstances that it happens.

Hi Pete,

Below sample from the risk logs (less some columns):

Hi Ashish,

I would likey agree with you on this during scheduled scan and no one is logged in to the machine that would show as SYSTEM.

But cases were the detection was from Auto-Protect and Manual scan and the username is SYSTEM,  are there circumstances that no user is logged in but SEP client triggers a detection from a manual or auto-protect scan?

As my logs are showing such cases, I just wanted to confirm if I also have interpreted them correctly.

Thank you.