Endpoint Protection

Recent changes in auditing on my companies PC's are causing thosands of 560 errors ecah second and they seem to be happening at startup. We are running corparate edition 10.1.9. It seems that Rtvscan.exe is hitting on every file in the C:\Documents and settings\all users\application data\symantec\common client folder.

I tried excluding this folder using the exclusions in corparate edition but the problem kept occuring.

It is not happening on all PC's in the server group for some reason.

It only happens to general users, not administrators.

The recent change was to turn auditing on for the symantec folder which is a requirement. 

Also the systems that this is occuring on are Win XP 32bit Service pack 3 and (1) Win 2000

Thannks

what's the error message?

can you post the error details?

That is quite a big number. Kindly give us more details on the error as mentioned above.

Event type: failure audit

Event source: security

Event category: object access

event id: 560

Object open:

             Object server: security

             Object type: file

            Object name: c:\documents and settings \all users\application\data\symantec\common client\@lyrdcie.tmp

We believe we have narrowed the problem. The issue seems to be that Real Time Virus Scan (rtvscan.exe) is writing temporary log files to this location and then deleting them, it appears to be writing as the logged on user (so only creates 560s as general users), and then deleting them as SYSTEM. As a work around we added users permissions to create files in the folder which stopped the auditing issue.

Why is rtvscan.exe not running as system?

Sorry for grammer / mistakes, very busy.

Thanks