On a server 2016 and 2019 machine, I'm getting flooded with Event ID 4663 logs when the following group policy is enabled: Computer Config -> Windows Settings -> Security Settings -> Advanced Audit Policy Config -> Object Access -> Audit File System.
The logs I want to stop are being created by various EXE's (CMD.exe, Conhost.exe, etc) in the Windows folder being accessed by the AV installed on the computer. I will post an example of the log below.
My question is, why are these logs being generated when I do not have auditing enabled for the c:\windows folder enabled? If I look at properties -> security tab -> advanced -> auditing for c:\windows, its blank, not configured. If I choose disable inheritance in audit settings for the Windows folder, it does not stop the logs.
If I disable the policy for Audit File System, or if I disable AV software on the computer, these logs stop. But neither of these are an acceptable solution.
Is it that the Windows folder is automatically audited? What am I missing here? I'm getting flooded with about 50 audit logs a minute for a folder I have not enabled auditing on.
Example:
An attempt was made to access an object.
Subject:
Security ID: SYSTEM
Account Name: MERCURY$
Account Domain: GSI
Logon ID: 0x3E7
Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Handle ID: 0x1f8c
Resource Attributes: S:AI
Process Information:
Process ID: 0xa2c
Process Name: C:\Program Files\Bitdefender\Endpoint Security\epsecurityservice.exe
Access Request Information:
Accesses: WriteAttributes
Access Mask: 0x100
Thanks.