Event type: failure audit
Event source: security
Event category: object access
event id: 560
Object open:
Object server: security
Object type: file
Object name: c:\documents and settings \all users\application\data\symantec\common client\@lyrdcie.tmp
We believe we have narrowed the problem. The issue seems to be that Real Time Virus Scan (rtvscan.exe) is writing temporary log files to this location and then deleting them, it appears to be writing as the logged on user (so only creates 560s as general users), and then deleting them as SYSTEM. As a work around we added users permissions to create files in the folder which stopped the auditing issue.
Why is rtvscan.exe not running as system?
Sorry for grammer / mistakes, very busy.
Thanks