Large number of Event 4663 in Windows Security Log
book
Article ID: 186867
calendar_today
Updated On:
Products
Endpoint Protection
Issue/Introduction
On a computer with the Symantec Endpoint Protection Manager installed, you are seeing an excessive number of Event 4663 entries written to the Windows Security Event log. The Task Category is "Removable Storage". This is consuming disk space on the server holding the manager.
Environment
Release : 14.x
Cause
The Symantec Endpoint Protection Manager has been installed to a volume labeled as hot-pluggable and Windows has been configured to audit access on removable devices. Normally this is seen in virtual environments with the SEPM installed to a partition other than the C partition.
One example of a GPO setting that could be auditing removable devices is:
Reconfigure the partition where the SEPM is installed so that the OS sees it as a fixed disk rather than a hot-pluggable disk. This is done through your virtualization software and will normally need to be done with the VM shut down.
Alternately, disable auditing of object access on removable devices.