Only on my Domain Controller (Windows Server 2k8 R2) I am seeing my security logs flooded with Failed Audit Access events during every system scan. The process is ccSVCHst.exe (running as System) and it appears it is failing access on most everything under C:\Windows\*.
I have checked the specific file permissions on a few of the failed items and System only has Read & Execute. The failed audit flag is showing ccSvcHst.exe is being denied WRITE accesses to each file which is why the event is being logged. I wanted to see why ccSvcHst.exe virus scanner is needing WRITE permissions to these files and how to best fix this. I did not want to exclude C:\Windows\* from the daily scans as that would be a large chunk of critical files not getting scanned. I also did not want to grant WRITE access to System for all those files until I found out why it needed WRITE accesses.
I have this same SEP scan running on my Windows 7 clients and it has none of these errors shown even though the NTFS file permissions are identical with only allowing System Read & Execute.