Numerous access events from antivirus and backup software fill Summary Reports from Netwrix Auditor for File Servers

Email It to Me Print this Page
Symptoms Summary reports from Netwrix Auditor for File Servers may show numerous access events for service accounts used to run antivirus and backup software.


User-added image
Cause This happens because file scan operations are considered by Windows auditing as reads and are logged in the Security event log where Netwrix Auditor pulls the data from.
Resolution Auditing events generated for such service accounts can be excluded from the data collection by adding them to the omitstoreuserlist_fs.txt file, that can be found in the product installation folder (by default C:\Program Files (x86)\NetWrix\File Server Change Reporter\). The syntax is following: domain\username

In order to exclude access events from the "domain\svc_antivirus" account (see the screenshot above), add the following line into the omitstoreuserlist_fs.txt:

Was this information helpful?