PaloAlto reporting software shows Symantec Endpoint Encryption IIS Account as the active user account making web requests.

Article:TECH192667  |  Created: 2012-07-10  |  Updated: 2013-05-23  |  Article URL http://www.symantec.com/docs/TECH192667
Article Type
Technical Solution


Environment

Issue



The Symantec Endpoint Encryption Domain Client account (SEE Framework client account) used for IIS communication is being shown as the active user account for web requests to sites other then the SEE Server.   This account is showing in PaloAlto reports instead of the logged in user account.


Error



Report run by a third party Tool (in this Case Palo Alto) shows the Account being overridden. No error Message . Symantec Endpoint Encryption Continues to work successfully. It's just the report that indicates a security breach.  Below is an example report.

 

Receive Time Source address Destination address Source User Destination Port Category
7/17/2012 9:09   192.168.18.66 209.84.13.118 healthone\seersmcli 80   unknown
7/17/2012 8:57   192.168.61.117 64.4.18.90 healthone\seersmcli 80   computer-and-internet-info
7/17/2012 8:52   192.168.19.149 64.4.18.90 healthone\seersmcli 80   computer-and-internet-info
7/17/2012 8:46   192.168.15.164 199.7.52.190 healthone\seersmcli 80   computer-and-internet-info
7/17/2012 8:35   192.168.18.159 204.245.63.24 healthone\seersmcli 80   unknown


Cause



The issue isn't related to Symantec Endpoint Encryption. The PaloAlto reporting software collects user information from the client endpoints and not from the HTTP(S) requests. The PaloAlto client is not collecting the correct user info all the times. This is being looked at by PaloAlto software vender.


Solution



Symantec Endpoint Encryption is functioning as designed.




Article URL http://www.symantec.com/docs/TECH192667


Terms of use for this information are found in Legal Notices