Numerous access events from antivirus and backup software fill Summary Reports from Netwrix Auditor for File Servers

File Server
6.5 and older
Copy Article URL Copied

Summary reports from Netwrix Auditor for File Servers may show numerous access events for service accounts used to run antivirus and backup software.


User-added image

This happens because file scan operations are considered by Windows auditing as reads and are logged in the Security event log where Netwrix Auditor pulls the data from.

Auditing events generated for such service accounts can be excluded from the data collection by adding them to the omitstoreuserlist_fs.txt file, that can be found in the product installation folder (by default C:Program Files (x86)NetWrixFile Server Change Reporter). The syntax is following: domainusername

In order to exclude access events from the “domainsvc_antivirus” account (see the screenshot above), add the following line into the omitstoreuserlist_fs.txt:


Go Up