Without knowing more it kind of looks like the AV is scanning where it
should not be scanning. There is a KB on the MS site that tells you which
areas to exempt from AV scanning.
Jon
On Fri, Jun 20, 2008 at 5:36 AM, Naresh Kumar <[EMAIL PROTECTED]>
wrote:
> Hi All,
>
> One of the server is generating tonns of security events as below. Can any
> one help me what causing these events to generate.
>
> Event id 560
>
> Object Open:
> Object Server: Security
> Object Type: File
> Object Name: C:\Program Files
> Handle ID: 1980
> Operation ID: {2,3148456401}
> Process ID: 952
> Image File Name: C:\Program Files\CA\eTrust Antivirus\InoRT.exe
> Primary User Name: BBTSRVFDH76$
> Primary Domain: CONE
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: ITE_GHOCQUEMILLER
> Client Domain: CONE
> Client Logon ID: (0x0,0x9CFCBECB)
> Accesses: READ_CONTROL
> SYNCHRONIZE
> ReadData (or ListDirectory)
> ReadEA
> ReadAttributes
> WriteAttributes
>
> Privileges: -
> Restricted Sid Count: 0
> Access Mask: 0x120189
>
>
> Event Id 567
> Object Access Attempt:
> Object Server: Security
> Handle ID: 1980
> Object Type: File
> Process ID: 952
> Image File Name: C:\Program Files\CA\eTrust Antivirus\InoRT.exe
> Accesses: WriteAttributes
>
> Access Mask: 0x100
>
> Event id 562
> Handle Closed:
> Object Server: Security
> Handle ID: 1980
> Process ID: 952
> Image File Name: C:\Program Files\CA\eTrust Antivirus\InoRT.exe
>
> Thank you
>
> Naresh
>
>
>
> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~
> ~ ~
>
>
~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~
~ <http://www.sunbelt-software.com/product.cfm?id=400> ~
