PaloAlto reporting software shows Symantec Endpoint Encryption IIS Account as the active user account making web requests.

Article:TECH192667  |  Created: 2012-07-10  |  Updated: 2013-05-23  |  Article URL
Article Type
Technical Solution



The Symantec Endpoint Encryption Domain Client account (SEE Framework client account) used for IIS communication is being shown as the active user account for web requests to sites other then the SEE Server.   This account is showing in PaloAlto reports instead of the logged in user account.


Report run by a third party Tool (in this Case Palo Alto) shows the Account being overridden. No error Message . Symantec Endpoint Encryption Continues to work successfully. It's just the report that indicates a security breach.  Below is an example report.


Receive Time Source address Destination address Source User Destination Port Category
7/17/2012 9:09 healthone\seersmcli 80   unknown
7/17/2012 8:57 healthone\seersmcli 80   computer-and-internet-info
7/17/2012 8:52 healthone\seersmcli 80   computer-and-internet-info
7/17/2012 8:46 healthone\seersmcli 80   computer-and-internet-info
7/17/2012 8:35 healthone\seersmcli 80   unknown


The issue isn't related to Symantec Endpoint Encryption. The PaloAlto reporting software collects user information from the client endpoints and not from the HTTP(S) requests. The PaloAlto client is not collecting the correct user info all the times. This is being looked at by PaloAlto software vender.


Symantec Endpoint Encryption is functioning as designed.

Article URL

Terms of use for this information are found in Legal Notices