Banks, credit unions, insurance companies,
|Symptoms||Summary reports from Netwrix Auditor for File Servers may show numerous access events for service accounts used to run antivirus and backup software.
|Cause||This happens because file scan operations are considered by Windows auditing as reads and are logged in the Security event log where Netwrix Auditor pulls the data from.|
|Resolution||Auditing events generated for such service accounts can be excluded from the data collection by adding them to the omitstoreuserlist_fs.txt file, that can be found in the product installation folder (by default C:\Program Files (x86)\NetWrix\File Server Change Reporter\). The syntax is following: domain\username
In order to exclude access events from the "domain\svc_antivirus" account (see the screenshot above), add the following line into the omitstoreuserlist_fs.txt: