Large number of Event 4663 in Windows Security Log

book

Article ID: 186867

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

On a computer with the Symantec Endpoint Protection Manager installed, you are seeing an excessive number of Event 4663 entries written to the Windows Security Event log.  The Task Category is "Removable Storage".  This is consuming disk space on the server holding the manager.  


Cause

The Symantec Endpoint Protection Manager has been installed to a volume labeled as hot-pluggable and Windows has been configured to audit access on removable devices.  Normally this is seen in virtual environments with the SEPM installed to a partition other than the C partition.

One example of a GPO setting that could be auditing removable devices is:

Computer Configuration\Security Settings\Advanced Audit Policy Configuration\Object Access\Audit Removable Storage

Environment

Release : 14.x

 

Resolution

Reconfigure the partition where the SEPM is installed so that the OS sees it as a fixed disk rather than a hot-pluggable disk.  This is done through your virtualization software and will normally need to be done with the VM shut down.

Alternately, disable auditing of object access on removable devices.