I'm having a problem with Endpoint Protection 12.1.2015.2015 creating over 100,000 Audit Failure Security logs, EventID 4656, when doing a full scan. The security log was 205 MB after a scan of only C:\Windows; it didn't include audited folders anywhere else on the computer.
Because of the security requiments I need to follow, I have Failure Auditing enabled for almost everything in C:\Windows, and some other folders. I found the Symantec article below, but that turns off Handle Manipulation auditing, which seems to turn off all file and folder auditing, which isn't acceptible.
http://www.symantec.com/business/support/index?page=content&id=TECH190672
A couple of questions:
When this does a scan, why does it try to open files with WriteData, AppendData, WriteEA and WriteAttributes? Shouldn't a scan only be reading the file unless a virus or malware is found?
Why does it run under the account of the logged on user rather than Local System (which is what all the Symantec services are setup with)? I even tried a scheduled scan (with a user logged on) and it ran under the user account. If it ran under the account configured in the service I don't think this would be a problem since that account has full control.
Is there a way to fix this?