This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

The attempt to delete the infected file "X" failed. The user does not have the rights...

Hi all,

We are getting the following message more and more often:

The attempt to delete the infected file "X" failed.  The user does not have the rights to perform the action on the infected file

When I 'click -through' to the Sophos site it states that the Sophos Anti-Virus service should be run using an Administrator account.  When I checked, the service uses NT AUTHORITY\LocalService.  Is this the correct account or do we have an installation problem?

Thanks,

John

:384


This thread was automatically locked due to age.
  • As for this case, make sure that the current logged user has the administrative rights over the workstation to delete the infected file or if you uses enterprise console make sure the user has domain admin rights.

    :395
  • John,

    The Sophos service should run as Local System - can you let me know which article states different?

    Depending on how you are trying to remove this malware item depends on what permissions are in effect - for example, the automatic options in the On Access scanner will run as Local System, but a user opening the GUI and triggering a scan will run with their own permissions.

    If you can see this alert in the "Cleanup" tab in Enterprise Console, clean it using that - this should have enough permissions - you can also try setting up a scheduled scan set to Cleanup or Delete, depending on the item.

    As you can see, a bit more information may help us get you more specific answers - feel free to elaborate if the above didn't help!

    :446
  • Paul,

    The URL of the page that states that the account should be an adminstrator account is http://www.sophos.com/support/knowledgebase/article/17514.html

    All of the other Sophos services installed run under the LocalSystem account but for some reason the Sophos Anti-Virus service is using the NT AUTHORITY\LocalService account.  We are using the following command to install Sophos onto our workstations:

    "\\pbravs01\SophosUpdate\CIDs\S000\SAVSCFXP\Setup.exe" -mng yes -user "pbravs01\sophosupdatemgr" -pwd "xxxxxx" -ni

    We are using Sophos v7.6.15 on the workstations (We can't use v9 at the moment due to a conflict with another piece of software)

    The message is comming up on some machine as soon as they are started so assume it is the On Access scanner that is generating this message.

    Hope this extra information helps narrow down the problem.  Feel free to ask for more! :)

    John

    :473
  • Some additional information.  I just checked our v9 clients and the Anti-Virus service runs under the NT AUTHORITY\LocalService account too.

    :476
  • Our Sophos on 1400+ machines has never been run as administrator, its always run as LocalSystem, I don't think running it as an administrator is the answer ?

    With system privs, it should be able to do what it needs to do.

    :497
  • Hi,

    The "Sophos Anti-Virus" service should run as "local service" on XP and above.  It runs as "local System" on 2000.

    For actions taken, the service impersonates the user requesting the action.  So if a user runs cleanup it will impersonate that user so in theory should have the ability to access files that user has access to and therefore clean.

    If cleanup is initiated from SEC, either as part of a scheduled task or as cleanup task, then cleanup will be performed under the "local system" context, which should be powerful enough to be able to take action on any component on the system.

    As a rule of thumb, cleanup should be initiated by an administrative user if run locally.  Otherwise a scheduled scan created by SEC or a cleanup from SEC should do the trick.

    Thanks

    :498
  • Elmo,

    Thanks for clearing up the service account confusion.

    After some investigation it turns out that the majority of the files that generate this error are virus dll files in c:\windows\system32.  The file attributes are set to system, hidden & read only.  The NTFS permissions are set to Everyone: Read.

    Any ideas on how we can allow Sophos to delete these files?  Manual deletion isn't an option.

    :540
  • What about using SubInAcl in a batch file?

    http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en

    This could be run as a system start-up script, this would run with the necessary permissions I would think.

    I hope this helps.

    :543