remote admin console displays NT Authority\system as user in threat log

Discussion in 'ESET Server & Remote Administrator' started by janvds, Mar 21, 2011.

Thread Status:
Not open for further replies.
  1. janvds

    janvds Registered Member

    Joined:
    Mar 21, 2011
    Posts:
    6
    Hi Everyone

    This is my first time posting to this forum. Any help would be appreciated with my situation:

    I am running ESET along with the remote administrator console on about 100 clients in a private school. Operating system is Windows XP Professional SP2 or higher and Windows Server 2003.

    In the remote administrator console, under threat log tab, users are being listed as NT AUTHORITY\SYSTEM. Is there any way actual domain usernames can be displayed instead? Right now we are having problems with viruses being spread around on memory sticks and no way to trace whose memory sticks are infected with the viruses.

    Thanks
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Couldn't it be that the threats were found during a scheduled on-demand scan or a startup scan? If they were found by real-time protection, the current user should have been listed instead of the system account.
     
  3. janvds

    janvds Registered Member

    Joined:
    Mar 21, 2011
    Posts:
    6
    Which brings me to another question. When a user plugs a memory stick or flashdrive into the computer, and ESET performs a scan, shouldn't the user be listed instead of the system account?
     
  4. dmaasland

    dmaasland Registered Member

    Joined:
    Nov 10, 2010
    Posts:
    468
    The USB stick isn't scanned when it's plugged in. Files are scanned as they are accessed.
     
  5. janvds

    janvds Registered Member

    Joined:
    Mar 21, 2011
    Posts:
    6
    Then is there any way we can do an automatic scan of memory sticks when they are plugged in? Right now we have the following viruses being spread around:
    Win32/Peerfrag.GW worm
    INF/Autorun virus
    IRC/SdBot trojan

    once in a while, the actual user is shown in the threat log. The other 97% of the time, the user is shown as NT AUTHORITY\SYSTEM. Is there any setting in ESET to force it to show actual user names for all threats?
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    No. However, the threats should be cleaned upon access or execution.

    The threats must have been detected by other than the real-time or on-demand scanner which are actually run in the account of the current user. If possible, post here the complete relevant record from the threat log.
     
  7. janvds

    janvds Registered Member

    Joined:
    Mar 21, 2011
    Posts:
    6
    Column Name Value
    Threat Id Threat 3013
    Client Name Lib51504a
    Computer Name Lib51504a
    MAC Address
    Primary Server
    Date Received 2011-03-21 11:54:26
    Date Occurred 2011-03-21 11:51:51
    Level Critical Warning
    Scanner Real-time file system protection
    Object file
    Name D:\Autorun.inf
    Threat INF/Autorun virus
    Action unable to clean
    User NT AUTHORITY\SYSTEM
    Information Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.
    Details Ready
     
  8. janvds

    janvds Registered Member

    Joined:
    Mar 21, 2011
    Posts:
    6
    A friend suggested I make up a batch file to automatically initialize a full ESET scan of memory sticks when they are plugged into the USB drive and implement it via group policy in Server 2003. Does anyone have experience with this?
     
Thread Status:
Not open for further replies.