3

I need to run Symantec Endpoint Protection scans on Windows 7 systems using the SYSTEM account. I know that I can run DoScan.exe to manually run a scan, and this works fine using a regular user account. Unfortunately, when I try to run DoScan as SYSTEM, the application exits immediately (exit code: 2) without running a scan.

Is there a way that I can get this to work, or another application besides DoScan.exe that I should be using?

Note: I'm using SEP 12.1 RU1

Eric
  • 249
  • 1
  • 3
  • 15
  • 1
    From http://www.symantec.com/connect/forums/doscanexe-wont-start-under-system: "Is there a reason you are using Doscan.exe instead of setting up a scheduled scan in the SEPM? Scheduled scans already run using the SYSTEM account." – August Nov 02 '12 at 18:46

3 Answers3

4

If you set up a scheduled scan within the SEP user interface, it should run as SYSTEM by default. This may not work in your case, because it sounds like you are trying to launch scans on demand via some kind of an external trigger.

DoScan.exe cannot be made to run as SYSTEM.

Fortunately, there is no particular reason why you need to run it under that account. I would suggest setting up a service account (e.g. svc_sep) with local administrator privileges. If you're on a domain, you can make svc_sep a member of the local Administrators group on each computer automatically, by using a Restricted Groups policy.

Skyhawk
  • 14,149
  • 3
  • 52
  • 95
  • Unfortunately my service does other things that it needs to be SYSTEM to do. I suppose I could set up an admin account, and just launch `DoScan` under that account, but that's a bummer. Why can't DoScan run as `SYSTEM`? Bug or feature? And there are no workarounds? – Eric Nov 05 '12 at 15:53
  • 1
    What, exactly, does it need to be SYSTEM to do? – Skyhawk Nov 05 '12 at 22:09
  • @Eric "Unfortunately my service does other things that it needs to be SYSTEM to do." Is DoScan.exe being called as part of some custom service you've created? You should probably provide more details of the service. – August Nov 06 '12 at 18:47
  • It's a large service - running DoScan.exe is a small part of what it needs to do, and changing the account won't be an option for a number of reasons. – Eric Nov 06 '12 at 19:02
1

I believe PSExec has the -s switch, which allows you run the remote process as System account.

Example:

psexec.exe \\computer -s c:\path\to\doscan.exe /cmdlinescan /scanalldrives

PB1
  • 11
  • 1
  • Yeah, the problem is that when I run it as SYSTEM (including through PSExec, Task Scheduler, and a Windows Service I wrote), DoScan.exe exits instantly (exit code: 2). – Eric Nov 01 '12 at 19:14
  • Ahh, I must have completely misread your question. If it fails to run as SYSTEM, it seems like either a bug or by design of the software and it's probably best to raise the question with Symantec. But as mentioned in another answer, doing either a RunAs or creating a service account for the task seems to be the only option. Also, are there any updates to your current build? This may have already been fixed. I think the latest is SEP 12.1 RU1 MP1. – PB1 Nov 06 '12 at 04:51
0

Does running a scan require network access? Try running DoScan as NETWORK SERVICE instead of SYSTEM.

longneck
  • 22,793
  • 4
  • 50
  • 84
  • Same result... interesting suggestion, though. Does the `SYSTEM` account not have network access? I thought that was just `LOCAL SERVICE`? – Eric Nov 01 '12 at 19:17